Re: CVE Request: heap buffer overflow in gdk-pixbuf

[Pedro Ribeiro <pedrib () gmail com>]

> On 24 Jul 2022, at 01:08, John Helmert III <ajak () gentoo org> wrote:
>
> On Sat, Jul 23, 2022 at 07:35:42PM +0700, Pedro Ribeiro wrote:
> > Hi,
> >
> > A year ago I found and submitted a vulnerability to the gdk-pixbuf tracker:
> > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190
> >
> > It's a heap buffer overflow using a crafted GIF, which is likely 
> > exploitable in 32 bit systems. Full details are in the link above in the 
> > bug tracker.
> >
> > This was patched and the fix was merged 8 months ago as seen here:
> > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121
> >
> > The issue is now public, but since no CVE was attributed, it probably is 
> > not being considered as a problem for downstream users of the package.
> >
> > As of today, the latest Debian stable package is affected by this 
> > vulnerability. Using a GNOME file system browser and browsing to that 
> > folder will cause a crash, as will opening it up in a GNOME image viewer 
> > and even attempting to load it in Chromium (should have submitted to 
> > them for a bounty :D).
> >
> > Hence I'd like to get a CVE to raise awareness for this issue, so that 
> > downstream users of the package can get patched.
> >
> > Thanks and regards,
> > Pedro Ribeiro
>
> Hi, according to the oss-security Openwall wiki page [1], CVEs need to
> be requested via MITRE's web form [2].
>
> [1] https://oss-security.openwall.org/wiki/mailing-lists/oss-security
> [2] https://cveform.mitre.org/

Hi John,

Thanks for the info, will request via the form and post here again once I have a CVE number. In any case I hope this 
post is useful to raise awareness of the issue to distro maintainers.

Regards 
Pedro