[Bug 19702] CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
bugzilla-daemon at bugzilla.ubuntu.com
bugzilla-daemon at bugzilla.ubuntu.com
Mon Nov 21 09:17:50 UTC 2005
Please do not reply to this email. You can add comments at
http://bugzilla.ubuntu.com/show_bug.cgi?id=19702
Ubuntu | gtk+2.0
------- Additional Comments From debzilla at ubuntu.com 2005-11-21 09:17 UTC -------
Message-ID: <20051121082955.GH1123 at finlandia.infodrom.north.de>
Date: Mon, 21 Nov 2005 09:29:55 +0100
From: Martin Schulze <joey at infodrom.org>
To: Loic Minier <lool at dooz.org>
Cc: Moritz Muehlenhoff <jmm at inutil.org>, 339431 at bugs.debian.org,
team at security.debian.org
Subject: Re: Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Loic Minier wrote:
> On Mon, Nov 21, 2005, Martin Schulze wrote:
> > > I found the vulnerability matrix by Moritz Muehlenhoff useful:
> > > Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge gdk-pixbuf
> > > CVE-2005-2975 1170 284 1170 284
> > > CVE-2005-2976 1317 413 ---- 413
> > > CVE-2005-3186 1255 359 1256 359
> > What's the meaning of the numbers above?
>
> Line numbers of the problematic code, but I found it useful to find out
> which version are affected (all CVEs are present in all packages, all
> dists, except 2976 in sarge Gtk2).
>
> > I had to rebuild the woody packages since you've built them for
> > 'stable-security' instead of 'oldstable-security'
>
> Yes, I awoke in my sleep when I thought about that this night.
>
> > Could you tell us as well which versions in sid fix these problems?
>
> Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
> version 0.22.0-11. I only checked sid's gtk 2.6.10 this morning, and
> it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
> CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.
Ok, this results to the following matrix:
old stable (woody) stable (sarge) unstable (sid)
gdk-pixbuf 0.17.0-2woody3 0.22.0-8.1 0.22.0-11
gtk+2.0 2.0.2-5woody3 2.6.4-3.1 2.6.10-2
Regards,
Joey
--
If you come from outside of Finland, you live in wrong country.
-- motd of irc.funet.fi
Please always Cc to me when replying to me on the lists.
--
Configure bugmail: http://bugzilla.ubuntu.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the desktop-bugs
mailing list