Debian Bug report logs - #339431
CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code

version graph

Package: gtk+2.0; Maintainer for gtk+2.0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 16 Nov 2005 09:18:09 UTC

Severity: grave

Tags: fixed, fixed-in-experimental, patch, security

Fixed in versions gtk+2.0/2.6.10-2, gtk+2.0/2.8.9-2

Done: Sebastien Bacher <seb128@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Wed, 16 Nov 2005 10:17:24 +0100
Package: gtk+2.0
Severity: grave
Tags: security
Justification: user security hole

An integer overflow in gdk-pixbuf's XPM rendering code can be exploited
to overwrite the heap and exploit arbitrary code through crafted images.
Please see www.idefense.com/application/poi/display?id=339&type=vulnerabilities
for more details.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #10 received at 339431@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Wed, 16 Nov 2005 13:45:13 +0100
tags 339431 + patch
thanks

On Wed, Nov 16, 2005, Moritz Muehlenhoff wrote:
> An integer overflow in gdk-pixbuf's XPM rendering code can be exploited
> to overwrite the heap and exploit arbitrary code through crafted images.
> Please see www.idefense.com/application/poi/display?id=339&type=vulnerabilities
> for more details.

 Redhat's bug report for CVE-2005-3186 with a patch attached:
    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171071>

 Did you identify other packages with a copy of this code?  In
 particular, did you check Gtk 1?

 The Redhat security advisory also fixes CVE-2005-2975, for which I see
 no entry in the Debian changelog, could you please investifate on this
 id and report whether gtk1 and gtk2 are affected for Debian?

 Redhat's advisories:
    <http://rhn.redhat.com/errata/RHSA-2005-810.html>
    <http://rhn.redhat.com/errata/RHSA-2005-811.html>

 Redhat bug for CVE-2005-2975 with two patches attached:
    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171900>

   Cheers,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"



Tags added: patch Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #17 received at 339431@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Wed, 16 Nov 2005 14:05:11 +0100
 Security team, did you start work on CVE-2005-3186 and CVE-2005-2975,
 CVE-2005-2976 (not described in this report)?  Ubuntu has released some
 packages which might help <http://www.ubuntu.com/usn/usn-216-1>.

 Do you need the Gtk maintainers to prepare an upload for stable?
 Uploads are being prepared for unstable and experimental by Sebastien
 Bacher (thanks Seb).

   Cheers,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"



Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #22 received at 339431@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, control@bugs.debian.org, gdk-pixbuf@packages.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Wed, 16 Nov 2005 14:05:25 +0100
clone 339431 -1
reassign -1 gdk-pixbuf
thanks

        Hi,

 I believe gdk-pixbuf is affected as well.  I suppose you can grab
 useful patches from the Ubuntu security fixes:
    <http://www.ubuntu.com/usn/usn-216-1>

   Cheers,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"



Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #27 received at 339431@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Loic Minier <lool@dooz.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Wed, 16 Nov 2005 13:08:38 +0000
On Wed, Nov 16, 2005 at 02:05:11PM +0100, Loic Minier wrote:
>  Security team, did you start work on CVE-2005-3186 and CVE-2005-2975,
>  CVE-2005-2976 (not described in this report)?  Ubuntu has released some
>  packages which might help <http://www.ubuntu.com/usn/usn-216-1>.

>  Do you need the Gtk maintainers to prepare an upload for stable?

  That would certainly be appreciated.

Steve
--



Bug 339431 cloned as bug 339458. Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #34 received at 339431@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Loic Minier <lool@dooz.org>
Cc: 339431@bugs.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Wed, 16 Nov 2005 14:52:08 +0100
Loic Minier wrote:
> > An integer overflow in gdk-pixbuf's XPM rendering code can be exploited
> > to overwrite the heap and exploit arbitrary code through crafted images.
> > Please see www.idefense.com/application/poi/display?id=339&type=vulnerabilities
> > for more details.
> 
>  Did you identify other packages with a copy of this code?  In
>  particular, did you check Gtk 1?

gdk-pixbuf from GTK1 is affected by CVE-2005-3186; the vulnerable code is
present in io-xpm.c:359 

>  The Redhat security advisory also fixes CVE-2005-2975, for which I see
>  no entry in the Debian changelog, could you please investifate on this
>  id and report whether gtk1 and gtk2 are affected for Debian?
> 
>  Redhat's advisories:
>     <http://rhn.redhat.com/errata/RHSA-2005-810.html>
>     <http://rhn.redhat.com/errata/RHSA-2005-811.html>
> 
>  Redhat bug for CVE-2005-2975 with two patches attached:
>     <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171900>

This is all for sid:

gdk-pixbuf is both vulnerable to the integer overflow in pixels calculation
(io-xpm.c:413), as to the endless loop DoS attack (io-xpm:284).

gtk+2.0 is not vulnerable to the integer overflow in pixels calculation,
as it allocates pixbuf through gdk_pixbuf_new(), but is vulnerable to the
endless loop DoS (io-xpm.c:1170).

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #39 received at 339431@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Loic Minier <lool@dooz.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Wed, 16 Nov 2005 15:20:13 +0100
Loic Minier wrote:
>  The Redhat security advisory also fixes CVE-2005-2975, for which I see
>  no entry in the Debian changelog, could you please investifate on this
>  id and report whether gtk1 and gtk2 are affected for Debian?

The vulnerability matrix for Woody and Sarge (the entries are the line
numbers in io-xpm.c, where the vulnerable code is present):


               Woody gtk2   Woody gdk-pixbuf   Sarge gtk2   Sarge gdk-pixbuf
CVE-2005-2975    1170         284                1170         284
CVE-2005-2976    1317         413                ----         413
CVE-2005-3186    1255         359                1256         359

Cheers,
        Moritz



Tags added: fixed-in-experimental Request was from Sebastien Bacher <seb128@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Sebastien Bacher <seb128@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #46 received at 339431-close@bugs.debian.org (full text, mbox):

From: Sebastien Bacher <seb128@debian.org>
To: 339431-close@bugs.debian.org
Subject: Bug#339431: fixed in gtk+2.0 2.6.10-2
Date: Wed, 16 Nov 2005 09:17:08 -0800
Source: gtk+2.0
Source-Version: 2.6.10-2

We believe that the bug you reported is fixed in the latest version of
gtk+2.0, which is due to be installed in the Debian FTP archive:

gtk+2.0_2.6.10-2.diff.gz
  to pool/main/g/gtk+2.0/gtk+2.0_2.6.10-2.diff.gz
gtk+2.0_2.6.10-2.dsc
  to pool/main/g/gtk+2.0/gtk+2.0_2.6.10-2.dsc
gtk2-engines-pixbuf_2.6.10-2_i386.deb
  to pool/main/g/gtk+2.0/gtk2-engines-pixbuf_2.6.10-2_i386.deb
gtk2.0-examples_2.6.10-2_i386.deb
  to pool/main/g/gtk+2.0/gtk2.0-examples_2.6.10-2_i386.deb
libgtk2.0-0-dbg_2.6.10-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-0-dbg_2.6.10-2_i386.deb
libgtk2.0-0_2.6.10-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-0_2.6.10-2_i386.deb
libgtk2.0-bin_2.6.10-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-bin_2.6.10-2_i386.deb
libgtk2.0-common_2.6.10-2_all.deb
  to pool/main/g/gtk+2.0/libgtk2.0-common_2.6.10-2_all.deb
libgtk2.0-dev_2.6.10-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-dev_2.6.10-2_i386.deb
libgtk2.0-doc_2.6.10-2_all.deb
  to pool/main/g/gtk+2.0/libgtk2.0-doc_2.6.10-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 339431@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Bacher <seb128@debian.org> (supplier of updated gtk+2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 16 Nov 2005 16:56:39 +0100
Source: gtk+2.0
Binary: libgtk2.0-dev libgtk2.0-0-dbg gtk2-engines-pixbuf libgtk2.0-0 libgtk2.0-doc gtk2.0-examples libgtk2.0-bin libgtk2.0-common
Architecture: source i386 all
Version: 2.6.10-2
Distribution: unstable
Urgency: medium
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Sebastien Bacher <seb128@debian.org>
Description: 
 gtk2-engines-pixbuf - Pixbuf-based theme for GTK+ 2.x
 gtk2.0-examples - Examples files for the GTK+ 2.0
 libgtk2.0-0 - The GTK+ graphical user interface library
 libgtk2.0-0-dbg - The GTK+ libraries and debugging symbols
 libgtk2.0-bin - The programs for the GTK+ graphical user interface library
 libgtk2.0-common - Common files for the GTK+ graphical user interface library
 libgtk2.0-dev - Development files for the GTK+ library
 libgtk2.0-doc - Documentation for the GTK+ graphical user interface library
Closes: 309437 315083 323209 339431
Changes: 
 gtk+2.0 (2.6.10-2) unstable; urgency=medium
 .
   [ Sebastien Bacher ]
   * Patch from Ubuntu update, thanks Martin Pitt.
   * SECURITY UPDATE: Arbitrary code execution and DoS.
   * Add debian/patches/010_xpm-colors-overflow_CVE-2005-3186.patch:
     - io-xpm.c: Add check to XPM reader to prevent integer overflow for
     specially crafted number of colors (Closes: #339431).
     - CVE-2005-3186
   * Add debian/patches/011_xpm-colors-loop_CVE-2005-2975.patch:
     - io-xpm.c: Fix endless loop with specially crafted number of colors.
     - CVE-2005-2975
 .
   * debian/rules:
     - fix confusing cp usage.
 .
   [ Loic Minier ]
 .
   * Update FSF address. [debian/copyright]
   * Remove "Copyright:" line, the whole file expresses the copyright already.
     (Closes: #323209) [debian/copyright]
   * Backport patch from the 2.8 branch removing the warning introduced
     somewhere in 2.6 when length wraps in calculation in gdk_property_get.
     (Closes: #315083) [debian/patches/064_gdk-property-get-no-warning.patch]
   * Add ${misc:Depends} to all packages.
   * Remove libgtk2.0-0 dependency from libgtk2.0-common to break the circular
     dependency; cross your fingers, don't hold your breath. (Closes: #309437)
Files: 
 3563b30a4289c32184c55ba195036708 2141 libs optional gtk+2.0_2.6.10-2.dsc
 6b971feecb17c4791472aa96acdea3a3 47597 libs optional gtk+2.0_2.6.10-2.diff.gz
 7c5d80d99cae36830180239b26a493fa 3138308 misc optional libgtk2.0-common_2.6.10-2_all.deb
 af323f59755f3e06ffae3e6b13d3e3aa 2328124 doc optional libgtk2.0-doc_2.6.10-2_all.deb
 eb201ab2646f4cea2663316c08514ed2 2052200 libs optional libgtk2.0-0_2.6.10-2_i386.deb
 894a6ec816c55e5bc085d911a55afb8f 18192 misc optional libgtk2.0-bin_2.6.10-2_i386.deb
 fae0ba120610c486f2a5515eeb61f351 2208758 libdevel optional libgtk2.0-dev_2.6.10-2_i386.deb
 7f70323d835bea802bafd6096a610992 3533168 libdevel extra libgtk2.0-0-dbg_2.6.10-2_i386.deb
 4dc3b71e3311d5cffa8496d6790f924b 281144 x11 extra gtk2.0-examples_2.6.10-2_i386.deb
 2e7ece79ea1ec06a22a05de5cf3e7057 65358 graphics optional gtk2-engines-pixbuf_2.6.10-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDe2QPQxo87aLX0pIRAqNNAJ90/qfcwJjzU3NaowscTVjDY79lZwCgr1jX
1s2lgI1Zb20EQSzGlh2jTDg=
=nUeE
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #51 received at 339431@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Steve Kemp <skx@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, team@security.debian.org, control@bugs.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Sun, 20 Nov 2005 22:09:18 +0100
tags 339431 + pending patch
thanks

        Hi,

 Sorry for the delay.  You can grab the proposed fixes in:
    <http://people.dooz.org/~lool/debian/gtk-gdk-cves.tgz> (87M)
     MD5: 56148df50af6e28beaca57e4fa3bf6cc

 I found the vulnerability matrix by Moritz Muehlenhoff useful:
               Woody gtk2   Woody gdk-pixbuf   Sarge gtk2   Sarge gdk-pixbuf
CVE-2005-2975    1170         284                1170         284
CVE-2005-2976    1317         413                ----         413
CVE-2005-3186    1255         359                1256         359

Fixed-in:  2.0.2-5woody2.1  0.17.0-2woody2.1   2.6.4-3.1    0.22.0-8.1

 Let me know if you have issues with this.

   Cheers,
-- 
Loïc Minier <lool@dooz.org>



Tags added: pending, patch Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #58 received at 339431@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Loic Minier <lool@dooz.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Mon, 21 Nov 2005 07:46:15 +0100
Loic Minier wrote:
>  Sorry for the delay.  You can grab the proposed fixes in:
>     <http://people.dooz.org/~lool/debian/gtk-gdk-cves.tgz> (87M)
>      MD5: 56148df50af6e28beaca57e4fa3bf6cc

Thanks a lot!  Packages are building already.

>  I found the vulnerability matrix by Moritz Muehlenhoff useful:
>                Woody gtk2   Woody gdk-pixbuf   Sarge gtk2   Sarge gdk-pixbuf
> CVE-2005-2975    1170         284                1170         284
> CVE-2005-2976    1317         413                ----         413
> CVE-2005-3186    1255         359                1256         359

What's the meaning of the numbers above?

I had to rebuild the woody packages since you've built them for
'stable-security' instead of 'oldstable-security', and by that
I've also used woody3 instead of woody2.1, so the version is not
needlessly prolongued.

Could you tell us as well which versions in sid fix these problems?

Regards,

	Joey

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #63 received at 339431@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Mon, 21 Nov 2005 08:22:49 +0100
On Mon, Nov 21, 2005, Martin Schulze wrote:
> >  I found the vulnerability matrix by Moritz Muehlenhoff useful:
> >                Woody gtk2   Woody gdk-pixbuf   Sarge gtk2   Sarge gdk-pixbuf
> > CVE-2005-2975    1170         284                1170         284
> > CVE-2005-2976    1317         413                ----         413
> > CVE-2005-3186    1255         359                1256         359
> What's the meaning of the numbers above?

 Line numbers of the problematic code, but I found it useful to find out
 which version are affected (all CVEs are present in all packages, all
 dists, except 2976 in sarge Gtk2).

> I had to rebuild the woody packages since you've built them for
> 'stable-security' instead of 'oldstable-security'

 Yes, I awoke in my sleep when I thought about that this night.

> Could you tell us as well which versions in sid fix these problems?

 Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
 version 0.22.0-11.  I only checked sid's gtk 2.6.10 this morning, and
 it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
 CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.

 FYI, it was also fixed in experimental with a new upstream with this
 fixes.

 This gives fixed-in versions:

               Sid gtk2   Sid gdk-pixbuf
CVE-2005-2975  2.6.10-2     0.22.0-11
CVE-2005-2976      -        0.22.0-11
CVE-2005-3186  2.6.10-2     0.22.0-11

   Bye,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"



Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#339431; Package gtk+2.0. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. Full text and rfc822 format available.

Message #68 received at 339431@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Loic Minier <lool@dooz.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 339431@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Date: Mon, 21 Nov 2005 09:29:55 +0100
Loic Minier wrote:
> On Mon, Nov 21, 2005, Martin Schulze wrote:
> > >  I found the vulnerability matrix by Moritz Muehlenhoff useful:
> > >                Woody gtk2   Woody gdk-pixbuf   Sarge gtk2   Sarge gdk-pixbuf
> > > CVE-2005-2975    1170         284                1170         284
> > > CVE-2005-2976    1317         413                ----         413
> > > CVE-2005-3186    1255         359                1256         359
> > What's the meaning of the numbers above?
> 
>  Line numbers of the problematic code, but I found it useful to find out
>  which version are affected (all CVEs are present in all packages, all
>  dists, except 2976 in sarge Gtk2).
> 
> > I had to rebuild the woody packages since you've built them for
> > 'stable-security' instead of 'oldstable-security'
> 
>  Yes, I awoke in my sleep when I thought about that this night.
> 
> > Could you tell us as well which versions in sid fix these problems?
> 
>  Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
>  version 0.22.0-11.  I only checked sid's gtk 2.6.10 this morning, and
>  it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
>  CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.

Ok, this results to the following matrix:

             old stable (woody)    stable (sarge)   unstable (sid)
gdk-pixbuf     0.17.0-2woody3        0.22.0-8.1       0.22.0-11
gtk+2.0         2.0.2-5woody3         2.6.4-3.1        2.6.10-2

Regards,

	Joey

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.



Tags added: fixed Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Sebastien Bacher <seb128@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #75 received at 339431-close@bugs.debian.org (full text, mbox):

From: Sebastien Bacher <seb128@debian.org>
To: 339431-close@bugs.debian.org
Subject: Bug#339431: fixed in gtk+2.0 2.8.9-2
Date: Thu, 15 Dec 2005 08:47:18 -0800
Source: gtk+2.0
Source-Version: 2.8.9-2

We believe that the bug you reported is fixed in the latest version of
gtk+2.0, which is due to be installed in the Debian FTP archive:

gtk+2.0_2.8.9-2.diff.gz
  to pool/main/g/gtk+2.0/gtk+2.0_2.8.9-2.diff.gz
gtk+2.0_2.8.9-2.dsc
  to pool/main/g/gtk+2.0/gtk+2.0_2.8.9-2.dsc
gtk2-engines-pixbuf_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/gtk2-engines-pixbuf_2.8.9-2_i386.deb
gtk2.0-examples_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/gtk2.0-examples_2.8.9-2_i386.deb
libgtk2.0-0-dbg_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-0-dbg_2.8.9-2_i386.deb
libgtk2.0-0_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-0_2.8.9-2_i386.deb
libgtk2.0-bin_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-bin_2.8.9-2_i386.deb
libgtk2.0-common_2.8.9-2_all.deb
  to pool/main/g/gtk+2.0/libgtk2.0-common_2.8.9-2_all.deb
libgtk2.0-dev_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-dev_2.8.9-2_i386.deb
libgtk2.0-doc_2.8.9-2_all.deb
  to pool/main/g/gtk+2.0/libgtk2.0-doc_2.8.9-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 339431@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Bacher <seb128@debian.org> (supplier of updated gtk+2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Dec 2005 15:13:32 +0100
Source: gtk+2.0
Binary: libgtk2.0-dev libgtk2.0-0-dbg gtk2-engines-pixbuf libgtk2.0-0 libgtk2.0-doc gtk2.0-examples libgtk2.0-bin libgtk2.0-common
Architecture: source i386 all
Version: 2.8.9-2
Distribution: unstable
Urgency: low
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Sebastien Bacher <seb128@debian.org>
Description: 
 gtk2-engines-pixbuf - Pixbuf-based theme for GTK+ 2.x
 gtk2.0-examples - Examples files for the GTK+ 2.0
 libgtk2.0-0 - The GTK+ graphical user interface library
 libgtk2.0-0-dbg - The GTK+ libraries and debugging symbols
 libgtk2.0-bin - The programs for the GTK+ graphical user interface library
 libgtk2.0-common - Common files for the GTK+ graphical user interface library
 libgtk2.0-dev - Development files for the GTK+ library
 libgtk2.0-doc - Documentation for the GTK+ graphical user interface library
Closes: 323080 323209 323705 339431
Changes: 
 gtk+2.0 (2.8.9-2) unstable; urgency=low
 .
   * Upload to unstable
 .
 gtk+2.0 (2.8.9-1) experimental; urgency=low
 .
   * New upstream version:
     Bugs fixed:
     - File chooser filter behaves weird
     - 2.8.4 to 2.8.6: sound-juicer crash, fileselector assertions
     - On unsetting the Model, GtkTreeView does not clear
       it's associated TreeSelection
     - Crash on selecting a file of null mime-type
     - gtktoolbutton leaks a pixbuf
     - GdkEvent leaked in gtktreeview.c / gtk_tree_view_key_press
     - Typo in trap_activate_cb()
     - gtkcalendar.c: The identifier is already declared.
     - gtk_menu_attach_to_widget() does not take NULL detacher
     - Unhinted fonts are measured incorrectly and drawing
       problems occur as a result
     - unwanted scrolling in recent gtk
     - Toolbars without icons are invisible in icon-only mode
     - Search-entry in the TreeView not working properly
     - gtktoolbutton.c:562: warning: 'image' is used
       uninitialized in this function
     - reference count of textbuffer increases with each paste
     - gtk_selection_data_get_uris leaks memory
     Other changes:
     - Remove GMemChunk from public header files to
       support building against GLib 2.10
     - Report errors in option parsing
     - Merge upstream xdgmime changes to handle duplicate glob patterns
 .
 gtk+2.0 (2.8.8-1) experimental; urgency=low
 .
   * New upstream version:
     GtkFileChooser:
      - Make F2 work for renaming bookmarks
     GtkEntry:
      - Turn off input methods in password entries
     - Other fixes * Documentation improvements
     - Updated translations
 .
 gtk+2.0 (2.8.7-1) experimental; urgency=low
 .
   * New upstream version.
   * Security fixes:
     - Add check to XPM reader to prevent integer overflow for specially crafted
       number of colors (CVE-2005-3186) (Closes: #339431).
     - Fix endless loop with specially crafted number of colors (CVE-2005-2975).
   * debian/patches/001_fs_documents.patch:
     - updated.
   * debian/rules:
     - fix confusing cp usage.
 .
   [ Loic Minier ]
   * Drop xlibs-dev deps and build-deps.
     [debian/control, debian/control.in]
 .
 gtk+2.0 (2.8.3-1) experimental; urgency=low
 .
   * New upstream version:
     - Fix problems with the handling of initial settings
       for font options and cursor themes.
     - Add a --ignore-theme-index option to gtk-update-icon-cache.
 .
 gtk+2.0 (2.8.2-1) experimental; urgency=low
 .
   * New upstream version:
     - Fix a crash with custom icon themes, which affected
       the gnome-theme-manager.
     - Make sure font and cursor settings are propaged down
       to the screen initially.
   * debian/control.in:
     - require the current pango.
 .
 gtk+2.0 (2.8.1-1) experimental; urgency=low
 .
   * New upstream version:
     - gtk-update-icon-cache no longer stores copies of symlinked icons,
       and it has a --index-only option to omit image data from the cache.
     - Make large GtkSizeGroups more efficient.
     - Improve positioning of menus in GtkToolbar.
     - Make scrolling work on unrealized icon views.
     - Avoid unnecessary redraws on range widgets.
     - Make sure that all GTK+ applications reload icon themes promptly.
     - Ensure that gdk_pango_get_context() and gtk_widget_get_pango_context()
       use the same font options and dpi value.
     - Multiple memory leak fixes.
   * debian/control.in:
     - updated the libgtk2.0-dev Depends according to the changes.
   * debian/rules:
     Add --enable-explicit-deps=yes to make sure stuff like x11 gets listed as a
     Requires: in gdk(-x11)-2.0.pc, because otherwise linkage against -lX11 and
     friends doesn't get carried through.  Whether or not this is correct is
     arguable, since libgdk-x11-2.0.so.0* ends up linked against it anyway, but
     stuff like gnome-panel seems to be relying on this transience.
     Change by Daniel Stone.
 .
 gtk+2.0 (2.8.0-1) experimental; urgency=low
 .
   * New upstream version.
   * debian/control.in:
     - build with the new cairo (Closes: #323705).
     - updated the Build-Depends for xorg (Closes: #323080).
   * debian/copyright:
     - use License instead of Copyright (Closes: #323209).
   * debian/patches/001_fs_documents.patch:
     - default to Documents.
   * debian/rules:
     - updated the shlibs.
   * debian/watch:
     - updated.
 .
 gtk+2.0 (2.7.2-1) experimental; urgency=low
 .
   * New upstream version.
   * debian/control.in:
     - updated the Build-Depends.
   * debian/rules:
     - updated the shlibs.
     - use cairo.
   * debian/watch:
     - updated.
Files: 
 1168f708b3152ef02fa14c5e9e7e666d 2127 libs optional gtk+2.0_2.8.9-2.dsc
 da7344154109ae591fae0a4193259719 48698 libs optional gtk+2.0_2.8.9-2.diff.gz
 5d8775aba46b7812667d5a22100ccebd 3447862 misc optional libgtk2.0-common_2.8.9-2_all.deb
 1212947f20296d9feea1fe696c838f55 2460724 doc optional libgtk2.0-doc_2.8.9-2_all.deb
 af7362ba651f8621f61abb335678d7b7 2080400 libs optional libgtk2.0-0_2.8.9-2_i386.deb
 e51684ba22ce62e57e151a3093115768 21528 misc optional libgtk2.0-bin_2.8.9-2_i386.deb
 4afc4ca44ee5005c6cc669f648eb64fe 2260522 libdevel optional libgtk2.0-dev_2.8.9-2_i386.deb
 c5dd3fa6f667869273db4c18bdfc55ce 3638590 libdevel extra libgtk2.0-0-dbg_2.8.9-2_i386.deb
 6750ab997828faceabefbdbc674caa42 275066 x11 extra gtk2.0-examples_2.8.9-2_i386.deb
 a506ee85575a6a5d1f6265ea67833538 56048 graphics optional gtk2-engines-pixbuf_2.8.9-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDoYzVQxo87aLX0pIRAj9/AKDC/eJuPN1peJoLpVgiQ4t43G5nXgCgge3R
KQFgscNEmA4Q4yPDNmpCGPk=
=Umy5
-----END PGP SIGNATURE-----




Tags added: fixed Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 02:43:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 18:56:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.