Bug#1074054: bullseye-pu: package gdk-pixbuf/2.42.2+dfsg-1+deb11u2
Jeremy Bícha
jeremy.bicha at canonical.com
Sat Jun 22 15:16:49 BST 2024
Package: release.debian.org
Tags: bullseye
X-Debbugs-Cc: gdk-pixbuf at packages.debian.org, team at security.debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via
crafted .ani files, cf. #1071265.
[ Impact ]
At least denial of service but potentially as well arbitrary code
execution. The Debian Security Team has classified it as no-dsa and
requested that we do a stable update for this issue if possible.
[ Tests ]
This is the same set of patches used in Ubuntu 22.04 LTS "Jammy".
[ Risks ]
Isolated changes, and the fix landed in Trixie a month ago. Similar
fix being applied to Bookworm now also. See
https://bugs.debian.org/1073234
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
Three commits cherry-picked from upstream:
* ANI: Reject files with multiple anih chunks (CVE-2022-48622)
(Closes: #1071265)
* ANI: Reject files with multiple INAM or IART chunks
* ANI: Validate anih chunk size
The two other commits are not for CVE-2022-48622 but additional
hardening and fixing changes related to the ANI code.
Updated debian/gbp.conf to point to the debian/bullseye packaging branch.
Thank you,
Jeremy Bícha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdk-pixbuf-bullseye.debdiff
Type: application/octet-stream
Size: 7206 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240622/18863b50/attachment-0001.obj>
More information about the pkg-gnome-maintainers
mailing list