Bug#1073234: bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u1

Salvatore Bonaccorso carnil at debian.org
Sat Jun 15 07:28:48 BST 2024 

Hi Jeremy, Simon,

On Fri, Jun 14, 2024 at 06:22:13PM -0400, Jeremy Bícha wrote:
> On Fri, Jun 14, 2024 at 5:18 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> >
> > Package: release.debian.org
> > Severity: normal
> > Tags: bookworm
> > X-Debbugs-Cc: gdk-pixbuf at packages.debian.org, Simon McVittie <smcv at debian.org>, carnil at debian.org
> > Control: affects -1 + src:gdk-pixbuf
> > User: release.debian.org at packages.debian.org
> > Usertags: pu
> >
> > Hi stable release managers, CC'ing Simon,
> >
> > [ Reason ]
> > gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via
> > crafted .ani files, cf. #1071265.
> >
> > [ Impact ]
> > At least denial of service but potentially as well arbitrary code
> > execution. But we have classified in no-dsa and it does not warrant a
> > DSA on its own.
> >
> > [ Tests ]
> > Manual test against the poc in the upstream issue
> > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 .
> >
> > [ Risks ]
> > Isolated changes, and the fix has been exposed in sid and trixie.
> >
> > [ Checklist ]
> >   [x] *all* changes are documented in the d/changelog
> >   [x] I reviewed all changes and I approve them
> >   [x] attach debdiff against the package in (old)stable
> >   [x] the issue is verified as fixed in unstable
> >
> > [ Changes ]
> > Three commits cherry-picked from upstream:
> >
> >   * ANI: Reject files with multiple anih chunks (CVE-2022-48622)
> >     (Closes: #1071265)
> >   * ANI: Reject files with multiple INAM or IART chunks
> >   * ANI: Validate anih chunk size
> >
> > The two other commits are not for CVE-2022-48622 but additional
> > hardening and fixing changes related to the ANI code.
> >
> > Simon, ideally we should do as well the fixup in bullseye, but I have
> > not looked at that version yet.
> 
> Salvatore, I pushed commits a few days ago to the debian/bookworm and
> debian/bullseye branches of
> https://salsa.debian.org/gnome-team/gdk-pixbuf based directly on
> similar work that had been done by Ubuntu Security but I hadn't made
> time to do further testing and reach out to Debian Security. Do you
> want to use those versions or the version you have prepared now?

Ups, apologies I did no spot that you did as well already the work.

If you prefer to have your version included for the point-release we
can ask there SRM to reject my version and you can upload your one
(notice to please change the target distribtuion to 'bookworm' for the
point release update).

As you have already done as well the bullseye one, can you fille a
bullseye-pu request + upload for bullseye-pu as well?

Just let here know if you want 

gdk-pixbuf | 2.42.10+dfsg-1+deb12u1 | stable-new      | source

rejected in favour of your version.

Note the window for uploads for bookworm and bullseye point releases
is closing next weekend.

Thank you for all your work!

Regards,
Salvatore

More information about the pkg-gnome-maintainers mailing list