Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri,  2 Oct 2015 13:14:48 -0400 (EDT)
From: cve-assign@...re.org
To: gustavo.grieco@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> We found a heap overflow in the gdk-pixbuf implementation triggered by the
> scaling of gif file. These issues are only fixed in the recent release of
> gdk-pixbuf 2.32.1
> 
> fixed in 2.32.1 with this commit:
> https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa

Use CVE-2015-7674. Apparently the cause of the issue was that the
integer data type was incompatible with the details of how bitwise
shifts were used.

The entry in the 2.32.1 changelog is shown in:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=044bdb059a26608fa8178e16a8505eb7ef56dfd0

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWDro8AAoJEL54rhJi8gl5Y90P/3Bn9Ju1jDuWjFyI0icQQKH+
17XiOgVKl58CZ35G28g7lp5lhvF+QbuFNenS/bZFKl4/6NN3ODs2x9pnO/horMNQ
pIY5WhJS8z50VfS2Kr6EWlWsUgiB7N/+FPn4F/1mcH+Gg+P6OupZaF/76MmxECVU
/YXo0OOgN6qkbvy+Z4l9ZL+htV3ojTU8+Q8k0JxWGTmMp8rfHKIfJ6b/J1yMzWhN
Ljjf+7F55yL/YwyICf3Ww7D2vjXesTS90EE9+kNA3w0qcaoQuooYaSdl5CIwFXtm
iIFbWDJIzRbZsmjEf6v9E9DyOt20jI2zShiBoDs697WHrcguNAJIKKTPWChkm0GV
EGh8qm2RxZnjXnAcHYX6qNcs2kWerQ9gLWmMCyZaSqq4opSDekEosM+pTUmWJyV4
cLEIEFsMeKD4+aIRckNa958LUeuEbN2TjluSJ6NsA6PTXDAefGMctoyG/aFSLOQu
qkpkreA7gm0oC96y4E6kF+ltcc3HeUmNbMGMqDNk9/sv05NeKd+YB6u/VcNeuxmF
Mi6yMNviVGmMr4wW1QvUlnA2skhTkd0Jx2IRm74Mb8IqRGxQ6EUJ6abDFDl0fKx6
IoRzKBtcLRGHLRumpMMh9Cqq88c6rMzMkNjmynr3DE5svuK/JE+2QwSQs5u1btz0
JyGSFmwiUakdpxmydN2X
=h2vy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.