Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code

Martin Schulze joey at infodrom.org
Mon Nov 21 08:29:55 UTC 2005


Loic Minier wrote:
> On Mon, Nov 21, 2005, Martin Schulze wrote:
> > >  I found the vulnerability matrix by Moritz Muehlenhoff useful:
> > >                Woody gtk2   Woody gdk-pixbuf   Sarge gtk2   Sarge gdk-pixbuf
> > > CVE-2005-2975    1170         284                1170         284
> > > CVE-2005-2976    1317         413                ----         413
> > > CVE-2005-3186    1255         359                1256         359
> > What's the meaning of the numbers above?
> 
>  Line numbers of the problematic code, but I found it useful to find out
>  which version are affected (all CVEs are present in all packages, all
>  dists, except 2976 in sarge Gtk2).
> 
> > I had to rebuild the woody packages since you've built them for
> > 'stable-security' instead of 'oldstable-security'
> 
>  Yes, I awoke in my sleep when I thought about that this night.
> 
> > Could you tell us as well which versions in sid fix these problems?
> 
>  Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
>  version 0.22.0-11.  I only checked sid's gtk 2.6.10 this morning, and
>  it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
>  CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.

Ok, this results to the following matrix:

             old stable (woody)    stable (sarge)   unstable (sid)
gdk-pixbuf     0.17.0-2woody3        0.22.0-8.1       0.22.0-11
gtk+2.0         2.0.2-5woody3         2.6.4-3.1        2.6.10-2

Regards,

	Joey

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.





More information about the Pkg-gnome-maintainers mailing list