Date: Wed, 3 Aug 2011 15:21:14 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: security@...me.org Subject: Re: CVE request: GIF loader buffer overflow when initializing decompression tables On Tue, 2 Aug 2011 17:34:28 +0200 Thomas Biege wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=727081 ... > This problem was corrected upstream long ago: > > http://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-gif.c?id=3bac204e0d0241a0d68586ece7099e6acf0e9bea I'm being told that even if this is 2001 fix, it's ok to use 2011 CVE if this was not called security before. Hence use CVE-2011-2897 if you plan to fix. > The fix can be found in all gdk-pixbuf versions embedded in gtk2 > packages, but it seems it never got it to stand-alone gdk-pixbuf > version for gtk+ 1.x. Just to clarify, the above was about RHEL gtk2 packages. For most distros, that implies they don't really need to look at their gtk2 packages if it's fixed in the oldest supported RHEL. I've not really tried to figure out if there was any upstream gtk2 version that did not have the fix though. I'm FYI CCing gnome security to reduce the amount of confusion this can possibly cause. This is follow-up on: http://www.openwall.com/lists/oss-security/2011/08/02/3 -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.