Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
lool at dooz.org
Mon Nov 21 07:22:49 UTC 2005
On Mon, Nov 21, 2005, Martin Schulze wrote:
> > I found the vulnerability matrix by Moritz Muehlenhoff useful:
> > Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge gdk-pixbuf
> > CVE-2005-2975 1170 284 1170 284
> > CVE-2005-2976 1317 413 ---- 413
> > CVE-2005-3186 1255 359 1256 359
> What's the meaning of the numbers above?
Line numbers of the problematic code, but I found it useful to find out
which version are affected (all CVEs are present in all packages, all
dists, except 2976 in sarge Gtk2).
> I had to rebuild the woody packages since you've built them for
> 'stable-security' instead of 'oldstable-security'
Yes, I awoke in my sleep when I thought about that this night.
> Could you tell us as well which versions in sid fix these problems?
Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
version 0.22.0-11. I only checked sid's gtk 2.6.10 this morning, and
it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.
FYI, it was also fixed in experimental with a new upstream with this
This gives fixed-in versions:
Sid gtk2 Sid gdk-pixbuf
CVE-2005-2975 2.6.10-2 0.22.0-11
CVE-2005-2976 - 0.22.0-11
CVE-2005-3186 2.6.10-2 0.22.0-11
Loïc Minier <lool at dooz.org>
"What do we want? BRAINS! When do we want it? BRAINS!"
More information about the Pkg-gnome-maintainers