Advisories (MDKSA-2005:214 ): gdk-pixbuf

aru · November 24, 2005

Mandriva Advisories MDKSA-2005:214 : gdk-pixbuf

Updated gdk-pixbuf/gtk+2.0 packages fix vulnerability

November 18th, 2005

A heap overflow vulnerability in the GTK+ gdk-pixbuf XPM image rendering library could allow for arbitrary code execution. This allows an attacker to provide a carefully crafted XPM image which could possibly allow for arbitrary code execution in the context of the user viewing the image. (CVE-2005-3186) Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim. (CVE-2005-2976) Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim. (CVE-2005-2975) The gtk+2.0 library also contains the same gdk-pixbuf code with the same vulnerability. The Corporate Server 2.1 packages have additional patches to address CAN-2004-0782,0783,0788 (additional XPM/ICO image issues), CAN-2004-0753 (BMP image issues) and CAN-2005-0891 (additional BMP issues). These were overlooked on this platform with earlier updates. The updated packages have been patched to correct these issues.

The released versions of Mandriva GNU/Linux affected are: