Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: GIF loader buffer overflow when initializing decompression tables
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 3 Aug 2011 15:21:14 +0200

On Tue, 2 Aug 2011 17:34:28 +0200 Thomas Biege wrote:

https://bugzilla.redhat.com/show_bug.cgi?id=727081

...

This problem was corrected upstream long ago:

http://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-gif.c?id=3bac204e0d0241a0d68586ece7099e6acf0e9bea

I'm being told that even if this is 2001 fix, it's ok to use 2011 CVE
if this was not called security before.  Hence use CVE-2011-2897 if you
plan to fix.

The fix can be found in all gdk-pixbuf versions embedded in gtk2
packages, but it seems it never got it to stand-alone gdk-pixbuf
version for gtk+ 1.x.

Just to clarify, the above was about RHEL gtk2 packages.  For most
distros, that implies they don't really need to look at their gtk2
packages if it's fixed in the oldest supported RHEL.  I've not really
tried to figure out if there was any upstream gtk2 version that did not
have the fix though.

I'm FYI CCing gnome security to reduce the amount of confusion this can
possibly cause.  This is follow-up on:

http://www.openwall.com/lists/oss-security/2011/08/02/3

-- 
Tomas Hoger / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault