Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 3 Aug 2011 15:21:14 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: security@...me.org
Subject: Re: CVE request: GIF loader buffer overflow when
 initializing decompression tables

On Tue, 2 Aug 2011 17:34:28 +0200 Thomas Biege wrote:

> https://bugzilla.redhat.com/show_bug.cgi?id=727081

...

> This problem was corrected upstream long ago:
> 
> http://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-gif.c?id=3bac204e0d0241a0d68586ece7099e6acf0e9bea

I'm being told that even if this is 2001 fix, it's ok to use 2011 CVE
if this was not called security before.  Hence use CVE-2011-2897 if you
plan to fix.

> The fix can be found in all gdk-pixbuf versions embedded in gtk2
> packages, but it seems it never got it to stand-alone gdk-pixbuf
> version for gtk+ 1.x.

Just to clarify, the above was about RHEL gtk2 packages.  For most
distros, that implies they don't really need to look at their gtk2
packages if it's fixed in the oldest supported RHEL.  I've not really
tried to figure out if there was any upstream gtk2 version that did not
have the fix though.

I'm FYI CCing gnome security to reduce the amount of confusion this can
possibly cause.  This is follow-up on:

http://www.openwall.com/lists/oss-security/2011/08/02/3

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.