oss-sec mailing list archives
Re: CVE Request: heap buffer overflow in gdk-pixbuf
From: John Helmert III <ajak () gentoo org>
Date: Sat, 23 Jul 2022 11:51:53 -0500
On Sat, Jul 23, 2022 at 07:35:42PM +0700, Pedro Ribeiro wrote:
Hi, A year ago I found and submitted a vulnerability to the gdk-pixbuf tracker: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190 It's a heap buffer overflow using a crafted GIF, which is likely exploitable in 32 bit systems. Full details are in the link above in the bug tracker. This was patched and the fix was merged 8 months ago as seen here: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121 The issue is now public, but since no CVE was attributed, it probably is not being considered as a problem for downstream users of the package. As of today, the latest Debian stable package is affected by this vulnerability. Using a GNOME file system browser and browsing to that folder will cause a crash, as will opening it up in a GNOME image viewer and even attempting to load it in Chromium (should have submitted to them for a bounty :D). Hence I'd like to get a CVE to raise awareness for this issue, so that downstream users of the package can get patched. Thanks and regards, Pedro Ribeiro
Hi, according to the oss-security Openwall wiki page [1], CVEs need to be requested via MITRE's web form [2]. [1] https://oss-security.openwall.org/wiki/mailing-lists/oss-security [2] https://cveform.mitre.org/
Attachment:
signature.asc
Description:
Current thread:
- CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 23)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf John Helmert III (Jul 23)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf John Helmert III (Jul 23)