GLSA-200409-28 : GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities

high Nessus Plugin ID 14791

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200409-28 (GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities)

A vulnerability has been discovered in the BMP image preprocessor (CAN-2004-0753). Furthermore, Chris Evans found a possible integer overflow in the pixbuf_create_from_xpm() function, resulting in a heap overflow (CAN-2004-0782). He also found a potential stack-based buffer overflow in the xpm_extract_color() function (CAN-2004-0783). A possible integer overflow has also been found in the ICO decoder.
Impact :

With a specially crafted BMP image an attacker could cause an affected application to enter an infinite loop when that image is being processed.
Also, by making use of specially crafted XPM or ICO images an attacker could trigger the overflows, which potentially allows the execution of arbitrary code.
Workaround :

There is no known workaround at this time.

Solution

All GTK+ 2 users should upgrade to the latest version:
# emerge sync # emerge -pv '>=x11-libs/gtk+-2.4.9-r1' # emerge '>=x11-libs/gtk+-2.4.9-r1' All GdkPixbuf users should upgrade to the latest version:
# emerge sync # emerge -pv '>=media-libs/gdk-pixbuf-0.22.0-r3' # emerge '>=media-libs/gdk-pixbuf-0.22.0-r3'

See Also

https://bugzilla.gnome.org/show_bug.cgi?id=150601

https://security.gentoo.org/glsa/200409-28

Plugin Details

Severity: High

ID: 14791

File Name: gentoo_GLSA-200409-28.nasl

Version: 1.18

Type: local

Published: 9/22/2004

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:gtk%2b, p-cpe:/a:gentoo:linux:gdk-pixbuf, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 9/21/2004

Reference Information

CVE: CVE-2004-0753, CVE-2004-0782, CVE-2004-0783, CVE-2004-0788

GLSA: 200409-28