Debian Bug report logs -
#977166
gdk-pixbuf: CVE-2020-29385
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#977166; Package src:gdk-pixbuf.
(Fri, 11 Dec 2020 23:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Fri, 11 Dec 2020 23:03:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gdk-pixbuf
Version: 2.40.0+dfsg-10
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.40.0+dfsg-8
Hi,
The following vulnerability was published for gdk-pixbuf.
CVE-2020-29385[0]:
| infinite loop in write_indexes function in gdk-pixbuf/lzw.c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-29385
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29385
[1] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81
[2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
Regards,
Salvatore
Marked as found in versions gdk-pixbuf/2.40.0+dfsg-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 11 Dec 2020 23:03:03 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Sun, 13 Dec 2020 00:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 13 Dec 2020 00:06:03 GMT) (full text, mbox, link).
Message #12 received at 977166-close@bugs.debian.org (full text, mbox, reply):
Source: gdk-pixbuf
Source-Version: 2.42.2+dfsg-1
Done: Simon McVittie <smcv@debian.org>
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 977166@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 12 Dec 2020 22:57:45 +0000
Source: gdk-pixbuf
Architecture: source
Version: 2.42.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 977166
Changes:
gdk-pixbuf (2.42.2+dfsg-1) unstable; urgency=medium
.
* Team upload
* New upstream release, without the Xlib API
- Fix infinite loop on invalid LZW codes in the GIF loader
(Closes: #977166, CVE-2020-29385)
* d/patches: Update to upstream 2.42.2-6-g89a4cedc
- Make enum GType registration thread-safe
- Fix memory leaks in test code
- Update Romanian translation
* d/rules: Update Meson parameter names
* Update versioned build-dependencies
* d/patches: Change how the test for GNOME#753605 is avoided.
Instead of deleting the code, which will cause merge conflicts on new
upstream versions, just skip the test if the non-free file is missing.
* Stop deleting .la files.
This package no longer uses libtool, so there are none.
* d/rules: Don't chmod a file that is no longer shipped
* Don't try to remove non-determinism from test data.
Some of the images included with the tests are deliberately malformed.
* d/patches: Add proposed patches to run all the tests, and make
them pass
* d/copyright: Remove information about contrib/, which was removed.
The former contrib directory from this source package has moved to
the gdk-pixbuf-xlib source package.
Checksums-Sha1:
bee5636b6c5603b000e65ba62b681dd16c9596f5 3276 gdk-pixbuf_2.42.2+dfsg-1.dsc
d66fc4f6f28e3cbdcc1bc8c1b25495c7c6fd6c3f 6433920 gdk-pixbuf_2.42.2+dfsg.orig.tar.xz
8e82ba95fd45ac4c1c07995b1721f5539986c706 28940 gdk-pixbuf_2.42.2+dfsg-1.debian.tar.xz
80a096917e0955dff40298887aeaab0dbb3a7fd8 7708 gdk-pixbuf_2.42.2+dfsg-1_source.buildinfo
Checksums-Sha256:
b9032af48b62b221fe9d3cac50134c71083d9936a276213d5d06e37628910d09 3276 gdk-pixbuf_2.42.2+dfsg-1.dsc
f781dca5af4c6536befb1faaa3b82efb9750c52a350842bc82b2aa08ce129ee9 6433920 gdk-pixbuf_2.42.2+dfsg.orig.tar.xz
c538067ab0cac02aa701245d2c10a697c5f51e03bf9df3aeac446e7b0b6ad1f0 28940 gdk-pixbuf_2.42.2+dfsg-1.debian.tar.xz
f10ae29897e4b332b7600a44d57e523ed8ca1a13044b541a832a160ded22c608 7708 gdk-pixbuf_2.42.2+dfsg-1_source.buildinfo
Files:
8ee02610177c07a0675cde81a2a16548 3276 libs optional gdk-pixbuf_2.42.2+dfsg-1.dsc
6ad51a9ed2b394acc88052ae9de01c9e 6433920 libs optional gdk-pixbuf_2.42.2+dfsg.orig.tar.xz
5173ea8ae536d3dff34402b703db1ed0 28940 libs optional gdk-pixbuf_2.42.2+dfsg-1.debian.tar.xz
c78a147e87cfcc1cb265cb22b5090171 7708 libs optional gdk-pixbuf_2.42.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl/VVRgACgkQ4FrhR4+B
TE9RaA//UqMQPTuWKIp8szvlyBtXh3i8RcI4M+ChPwYbO6QkxQGrd1ijcrahK+1o
Mgd5OLWEbf9u7qVkwfFywp5xmXyH1cr72iCv/X9HOr29YdQ3E+2pSxmJK7fC8ARH
y4xmu5Lf63cecmUIeoxDXWjAkseySyIWRoOhCH0QyIsSU+hNd7DfGorY3Jj/Qc2g
BkFVIS5ZuAzGhG7rZMBCUQR7P1HlN2g3844x9LJc3QOulVF5tSJFLplmnk9du2Mv
PsMqo/3jdmuwiMsc/tKm9a3mLu8JMRcwwz95HVU7wwGYCPzN4lDPueQlCF1C81F9
jXnU4nexKJ+F29uidt1aNrbi45Q5al8yLlftUhnt2vMsgF70w2DQFYmNHyuhoXex
HjEKh8j/gkqubAeanp6/JO81KoA9d8XfXSmmqrYzUyJ7S9amJaFJ8YF4Ym/1Vgbs
lTCvTo4baSrCQtJythpoDjkwBVfBvwdPS9wEGPCWKHmy/lVSQdxATx8ei2x9oGF2
W55NTTvC7A1gyaAC/TSKCOKYLn8aHi7jSsnnlCuyBPFiHxvzCksSlEfFa9v5h2Pa
437iXUj+d6F/g2S63QEXr6rxxMUHRIbB1Y1HkRktAQUkhBCHGakTU5XafLk/u+dg
sfabCkw7hPuHz+KzQ9sMl49qdLFg9FknbhrcuGdwJTIbqtljDdI=
=VLgn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 15 Jan 2021 07:28:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 01:11:43 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.