CLD-11 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
gdk-pixbuf |
| Deficiency Type |
SECURITY |
| Date Created |
2017-09-05 17:13:35 |
| Date Last Modified |
2017-09-05 17:52:41 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in gdk-pixbuf-2.36.9-i686-1 |
| Cucumber 1.0 x86_64 | fixed in gdk-pixbuf-2.36.9-x86_64-1 and gdk-pixbuf-lib_i686-2.36.9-lib_i686-1 |
| Cucumber 1.1 i686 |
fixed in gdk-pixbuf-2.36.9-i686-1 |
| Cucumber 1.1 x86_64 |
fixed in gdk-pixbuf-2.36.9-x86_64-1 and gdk-pixbuf-lib_i686-2.36.9-lib_i686-1 |
Details:
An exploitable integer overflow vulnerability exists in the tiff_image_parse
functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted
tiff file can cause a heap-overflow resulting in remote code execution. An
attacker can send a file or a URL to trigger this vulnerability
(https://nvd.nist.gov/vuln/detail/CVE-2017-2870).
Despite the NVD entry, the Gnome developers claim that this vulnerable is
agnostic to the compiler used. NVD probably mentioned Clang because that was
the compiler used in the original report.
This is Gnome Bug 780269 (https://bugzilla.gnome.org/show_bug.cgi?id=780269),
which was fixed in gdk-pixbuf 2.36.7
(http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.7.news).
Original Vulnerability Report:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377