Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-2043-1 gdk-pixbuf

Debian Security Advisory

DLA-2043-1 gdk-pixbuf -- LTS security update

Date Reported:

19 Dec 2019

Affected Packages:

gdk-pixbuf

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-6352, CVE-2017-2870, CVE-2017-6312, CVE-2017-6313, CVE-2017-6314.

More information:

Several issues in gdk-pixbuf, a library to handle pixbuf, have been found.

• CVE-2016-6352

  fix for denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file

• CVE-2017-2870

  Fix for an exploitable integer overflow vulnerability in the tiff_image_parse functionality. When software is compiled with clang, A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. Debian package is compiled with gcc and is not affected, but probably some downstream is.

• CVE-2017-6312

  Fix for an integer overflow in io-ico.c that allows attackers to cause a denial of service (segmentation fault and application crash) via a crafted image

• CVE-2017-6313

  Fix for an integer underflow in the load_resources function in io-icns.c that allows attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file

• CVE-2017-6314

  Fix for an infinite loop in the make_available_at_least function in io-tiff.c that allows attackers to cause a denial of service via a large TIFF file.

  For Debian 8 Jessie, these problems have been fixed in version 2.31.1-2+deb8u8.

  We recommend that you upgrade your gdk-pixbuf packages.

  Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS