Bug#1073234: bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u1
Jeremy Bícha
jeremy.bicha at canonical.com
Fri Jun 14 23:22:13 BST 2024
On Fri, Jun 14, 2024 at 5:18 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
>
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: gdk-pixbuf at packages.debian.org, Simon McVittie <smcv at debian.org>, carnil at debian.org
> Control: affects -1 + src:gdk-pixbuf
> User: release.debian.org at packages.debian.org
> Usertags: pu
>
> Hi stable release managers, CC'ing Simon,
>
> [ Reason ]
> gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via
> crafted .ani files, cf. #1071265.
>
> [ Impact ]
> At least denial of service but potentially as well arbitrary code
> execution. But we have classified in no-dsa and it does not warrant a
> DSA on its own.
>
> [ Tests ]
> Manual test against the poc in the upstream issue
> https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 .
>
> [ Risks ]
> Isolated changes, and the fix has been exposed in sid and trixie.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> Three commits cherry-picked from upstream:
>
> * ANI: Reject files with multiple anih chunks (CVE-2022-48622)
> (Closes: #1071265)
> * ANI: Reject files with multiple INAM or IART chunks
> * ANI: Validate anih chunk size
>
> The two other commits are not for CVE-2022-48622 but additional
> hardening and fixing changes related to the ANI code.
>
> Simon, ideally we should do as well the fixup in bullseye, but I have
> not looked at that version yet.
Salvatore, I pushed commits a few days ago to the debian/bookworm and
debian/bullseye branches of
https://salsa.debian.org/gnome-team/gdk-pixbuf based directly on
similar work that had been done by Ubuntu Security but I hadn't made
time to do further testing and reach out to Debian Security. Do you
want to use those versions or the version you have prepared now?
Thank you,
Jeremy Bícha
More information about the pkg-gnome-maintainers
mailing list