Security update for gdk-pixbuf SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2393-1 Final 1 1 2017-09-08T15:16:41Z current 2017-09-08T15:16:41Z 2017-09-08T15:16:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gdk-pixbuf This update for gdk-pixbuf fixes the following issues: - CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289) - CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544) - CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024) - CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025) - CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00021.html E-Mail link for openSUSE-SU-2017:2393-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 gdk-pixbuf-2.34.0-10.1 gdk-pixbuf-devel-2.34.0-10.1 gdk-pixbuf-devel-32bit-2.34.0-10.1 gdk-pixbuf-lang-2.34.0-10.1 gdk-pixbuf-query-loaders-2.34.0-10.1 gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 libgdk_pixbuf-2_0-0-2.34.0-10.1 libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 gdk-pixbuf-2.34.0-10.1 as a component of openSUSE Leap 42.2 gdk-pixbuf-devel-2.34.0-10.1 as a component of openSUSE Leap 42.2 gdk-pixbuf-devel-32bit-2.34.0-10.1 as a component of openSUSE Leap 42.2 gdk-pixbuf-lang-2.34.0-10.1 as a component of openSUSE Leap 42.2 gdk-pixbuf-query-loaders-2.34.0-10.1 as a component of openSUSE Leap 42.2 gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 as a component of openSUSE Leap 42.2 libgdk_pixbuf-2_0-0-2.34.0-10.1 as a component of openSUSE Leap 42.2 libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 as a component of openSUSE Leap 42.2 typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 as a component of openSUSE Leap 42.2 gdk-pixbuf-2.34.0-10.1 as a component of openSUSE Leap 42.3 gdk-pixbuf-devel-2.34.0-10.1 as a component of openSUSE Leap 42.3 gdk-pixbuf-devel-32bit-2.34.0-10.1 as a component of openSUSE Leap 42.3 gdk-pixbuf-lang-2.34.0-10.1 as a component of openSUSE Leap 42.3 gdk-pixbuf-query-loaders-2.34.0-10.1 as a component of openSUSE Leap 42.3 gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 as a component of openSUSE Leap 42.3 libgdk_pixbuf-2_0-0-2.34.0-10.1 as a component of openSUSE Leap 42.3 libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 as a component of openSUSE Leap 42.3 typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 as a component of openSUSE Leap 42.3 An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. CVE-2017-2862 openSUSE Leap 42.2:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.2:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.3:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00021.html https://www.suse.com/security/cve/CVE-2017-2862.html CVE-2017-2862 https://bugzilla.suse.com/1048289 SUSE Bug 1048289 An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability. CVE-2017-2870 openSUSE Leap 42.2:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.2:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.3:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00021.html https://www.suse.com/security/cve/CVE-2017-2870.html CVE-2017-2870 https://bugzilla.suse.com/1048289 SUSE Bug 1048289 https://bugzilla.suse.com/1048544 SUSE Bug 1048544 Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations. CVE-2017-6312 openSUSE Leap 42.2:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.2:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.3:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00021.html https://www.suse.com/security/cve/CVE-2017-6312.html CVE-2017-6312 https://bugzilla.suse.com/1027024 SUSE Bug 1027024 https://bugzilla.suse.com/1027026 SUSE Bug 1027026 Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file. CVE-2017-6313 openSUSE Leap 42.2:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.2:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.3:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00021.html https://www.suse.com/security/cve/CVE-2017-6313.html CVE-2017-6313 https://bugzilla.suse.com/1027024 SUSE Bug 1027024 The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file. CVE-2017-6314 openSUSE Leap 42.2:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.2:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.2:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.2:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-devel-32bit-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-lang-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-2.34.0-10.1 openSUSE Leap 42.3:gdk-pixbuf-query-loaders-32bit-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-2.34.0-10.1 openSUSE Leap 42.3:libgdk_pixbuf-2_0-0-32bit-2.34.0-10.1 openSUSE Leap 42.3:typelib-1_0-GdkPixbuf-2_0-2.34.0-10.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00021.html https://www.suse.com/security/cve/CVE-2017-6314.html CVE-2017-6314 https://bugzilla.suse.com/1027024 SUSE Bug 1027024 https://bugzilla.suse.com/1027025 SUSE Bug 1027025