Bug#1074054: bullseye-pu: package gdk-pixbuf/2.42.2+dfsg-1+deb11u2

Sat Jun 22 15:16:49 BST 2024

Package: release.debian.org
Tags: bullseye
X-Debbugs-Cc: gdk-pixbuf at packages.debian.org, team at security.debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via
crafted .ani files, cf. #1071265.

[ Impact ]
At least denial of service but potentially as well arbitrary code
execution. The Debian Security Team has classified it as no-dsa and
requested that we do a stable update for this issue if possible.

[ Tests ]
This is the same set of patches used in Ubuntu 22.04 LTS "Jammy".

[ Risks ]
Isolated changes, and the fix landed in Trixie a month ago. Similar
fix being applied to Bookworm now also. See
https://bugs.debian.org/1073234

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Three commits cherry-picked from upstream:

  * ANI: Reject files with multiple anih chunks (CVE-2022-48622)
    (Closes: #1071265)
  * ANI: Reject files with multiple INAM or IART chunks
  * ANI: Validate anih chunk size

The two other commits are not for CVE-2022-48622 but additional
hardening and fixing changes related to the ANI code.

Updated debian/gbp.conf to point to the debian/bullseye packaging branch.

Thank you,
Jeremy Bícha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdk-pixbuf-bullseye.debdiff
Type: application/octet-stream
Size: 7206 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240622/18863b50/attachment-0001.obj>