CLD-11 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-2870 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) gdk-pixbuf
Deficiency Type SECURITY
Date Created 2017-09-05 17:13:35
Date Last Modified 2017-09-05 17:52:41

Version Specific Information:

Cucumber 1.0 i686fixed in gdk-pixbuf-2.36.9-i686-1
Cucumber 1.0 x86_64fixed in gdk-pixbuf-2.36.9-x86_64-1 and gdk-pixbuf-lib_i686-2.36.9-lib_i686-1

Cucumber 1.1 i686 fixed in gdk-pixbuf-2.36.9-i686-1
Cucumber 1.1 x86_64 fixed in gdk-pixbuf-2.36.9-x86_64-1 and gdk-pixbuf-lib_i686-2.36.9-lib_i686-1

Details:

An exploitable integer overflow vulnerability exists in the tiff_image_parse
functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted
tiff file can cause a heap-overflow resulting in remote code execution. An
attacker can send a file or a URL to trigger this vulnerability
(https://nvd.nist.gov/vuln/detail/CVE-2017-2870).

Despite the NVD entry, the Gnome developers claim that this vulnerable is
agnostic to the compiler used. NVD probably mentioned Clang because that was
the compiler used in the original report.

This is Gnome Bug 780269 (https://bugzilla.gnome.org/show_bug.cgi?id=780269),
which was fixed in gdk-pixbuf 2.36.7
(http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.7.news).

Original Vulnerability Report:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377