CLD-10 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-2862 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) gdk-pixbuf
Deficiency Type SECURITY
Date Created 2017-09-05 17:13:24
Date Last Modified 2017-09-05 17:52:35

Version Specific Information:

Cucumber 1.0 i686fixed in gdk-pixbuf-2.36.9-i686-1
Cucumber 1.0 x86_64fixed in gdk-pixbuf-2.36.9-x86_64-1 and gdk-pixbuf-lib_i686-2.36.9-lib_i686-1

Cucumber 1.1 i686 fixed in gdk-pixbuf-2.36.9-i686-1
Cucumber 1.1 x86_64 fixed in gdk-pixbuf-2.36.9-x86_64-1 and gdk-pixbuf-lib_i686-2.36.9-lib_i686-1

Details:

An exploitable heap overflow vulnerability exists in the
gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A
specially crafted jpeg file can cause a heap overflow resulting in remote code
execution. An attacker can send a file or url to trigger this vulnerability
(https://nvd.nist.gov/vuln/detail/CVE-2017-2862).

This is Gnome Bug 784866 (https://bugzilla.gnome.org/show_bug.cgi?id=784866),
which has been fixed in gdk-pixbuf 2.36.7
(http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.7.news).

Original Vulnerability Report:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366