oss-sec mailing list archives
CVE Request: heap buffer overflow in gdk-pixbuf
From: Pedro Ribeiro <pedrib () gmail com>
Date: Sat, 23 Jul 2022 19:35:42 +0700
Hi, A year ago I found and submitted a vulnerability to the gdk-pixbuf tracker: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190It's a heap buffer overflow using a crafted GIF, which is likely exploitable in 32 bit systems. Full details are in the link above in the bug tracker.
This was patched and the fix was merged 8 months ago as seen here: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121The issue is now public, but since no CVE was attributed, it probably is not being considered as a problem for downstream users of the package.
As of today, the latest Debian stable package is affected by this vulnerability. Using a GNOME file system browser and browsing to that folder will cause a crash, as will opening it up in a GNOME image viewer and even attempting to load it in Chromium (should have submitted to them for a bounty :D).
Hence I'd like to get a CVE to raise awareness for this issue, so that downstream users of the package can get patched.
Thanks and regards, Pedro Ribeiro
Current thread:
- CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 23)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf John Helmert III (Jul 23)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf John Helmert III (Jul 23)