[Bug 19702] CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code

bugzilla-daemon at bugzilla.ubuntu.com bugzilla-daemon at bugzilla.ubuntu.com
Mon Nov 21 08:02:35 UTC 2005


Please do not reply to this email.  You can add comments at
http://bugzilla.ubuntu.com/show_bug.cgi?id=19702
Ubuntu | gtk+2.0





------- Additional Comments From debzilla at ubuntu.com  2005-11-21 08:02 UTC -------
Message-ID: <20051121072249.GC25623 at bugs.debian.org>
Date: Mon, 21 Nov 2005 08:22:49 +0100
From: Loic Minier <lool at dooz.org>
To: Martin Schulze <joey at infodrom.org>
Cc: Moritz Muehlenhoff <jmm at inutil.org>, 339431 at bugs.debian.org,
	team at security.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code

On Mon, Nov 21, 2005, Martin Schulze wrote:
> >  I found the vulnerability matrix by Moritz Muehlenhoff useful:
> >                Woody gtk2   Woody gdk-pixbuf   Sarge gtk2   Sarge gdk=
-pixbuf
> > CVE-2005-2975    1170         284                1170         284
> > CVE-2005-2976    1317         413                ----         413
> > CVE-2005-3186    1255         359                1256         359
> What's the meaning of the numbers above?

 Line numbers of the problematic code, but I found it useful to find out
 which version are affected (all CVEs are present in all packages, all
 dists, except 2976 in sarge Gtk2).

> I had to rebuild the woody packages since you've built them for
> 'stable-security' instead of 'oldstable-security'

 Yes, I awoke in my sleep when I thought about that this night.

> Could you tell us as well which versions in sid fix these problems?

 Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
 version 0.22.0-11.  I only checked sid's gtk 2.6.10 this morning, and
 it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
 CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.

 FYI, it was also fixed in experimental with a new upstream with this
 fixes.

 This gives fixed-in versions:

               Sid gtk2   Sid gdk-pixbuf
CVE-2005-2975  2.6.10-2     0.22.0-11
CVE-2005-2976      -        0.22.0-11
CVE-2005-3186  2.6.10-2     0.22.0-11

   Bye,
--=20
Lo=EFc Minier <lool at dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"




-- 
Configure bugmail: http://bugzilla.ubuntu.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.




More information about the desktop-bugs mailing list