Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6ae481de-39c2-c4a9-5274-59c2bcdb2dd6@gmail.com>
Date: Sat, 23 Jul 2022 19:35:42 +0700
From: Pedro Ribeiro <pedrib@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: heap buffer overflow in gdk-pixbuf

Hi,

A year ago I found and submitted a vulnerability to the gdk-pixbuf tracker:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190

It's a heap buffer overflow using a crafted GIF, which is likely 
exploitable in 32 bit systems. Full details are in the link above in the 
bug tracker.

This was patched and the fix was merged 8 months ago as seen here:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121

The issue is now public, but since no CVE was attributed, it probably is 
not being considered as a problem for downstream users of the package.

As of today, the latest Debian stable package is affected by this 
vulnerability. Using a GNOME file system browser and browsing to that 
folder will cause a crash, as will opening it up in a GNOME image viewer 
and even attempting to load it in Chromium (should have submitted to 
them for a bounty :D).

Hence I'd like to get a CVE to raise awareness for this issue, so that 
downstream users of the package can get patched.

Thanks and regards,
Pedro Ribeiro

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.