All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/gdk-pixbuf: security bump to version 2.36.12
@ 2020-08-11 10:12 Fabrice Fontaine
  2020-08-12 14:45 ` Thomas Petazzoni
  2020-08-28 15:57 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2020-08-11 10:12 UTC (permalink / raw)
  To: buildroot

- Fix CVE-2017-6312: Integer overflow in io-ico.c in gdk-pixbuf allows
  context-dependent attackers to cause a denial of service (segmentation
  fault and application crash) via a crafted image entry offset in an
  ICO file, which triggers an out-of-bounds read, related to compiler
  optimizations.
- Fix CVE-2017-6313: Integer underflow in the load_resources function in
  io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a
  denial of service (out-of-bounds read and program crash) via a crafted
  image entry size in an ICO file.
- Fix CVE-2017-6314: The make_available_at_least function in io-tiff.c
  in gdk-pixbuf allows context-dependent attackers to cause a denial of
  service (infinite loop) via a large TIFF file.

Also update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/gdk-pixbuf/gdk-pixbuf.hash | 6 +++---
 package/gdk-pixbuf/gdk-pixbuf.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/gdk-pixbuf/gdk-pixbuf.hash b/package/gdk-pixbuf/gdk-pixbuf.hash
index 9cb947f195..8fa178b55c 100644
--- a/package/gdk-pixbuf/gdk-pixbuf.hash
+++ b/package/gdk-pixbuf/gdk-pixbuf.hash
@@ -1,4 +1,4 @@
-# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.10.sha256sum
-sha256 f8f6fa896b89475c73b6e9e8d2a2b062fc359c4b4ccb8e96470d6ab5da949ace  gdk-pixbuf-2.36.10.tar.xz
+# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.12.sha256sum
+sha256  fff85cf48223ab60e3c3c8318e2087131b590fd6f1737e42cb3759a3b427a334  gdk-pixbuf-2.36.12.tar.xz
 # Locally calculated
-sha256 d245807f90032872d1438d741ed21e2490e1175dc8aa3afa5ddb6c8e529b58e5  COPYING
+sha256  d245807f90032872d1438d741ed21e2490e1175dc8aa3afa5ddb6c8e529b58e5  COPYING
diff --git a/package/gdk-pixbuf/gdk-pixbuf.mk b/package/gdk-pixbuf/gdk-pixbuf.mk
index b7937a48e9..0266e04978 100644
--- a/package/gdk-pixbuf/gdk-pixbuf.mk
+++ b/package/gdk-pixbuf/gdk-pixbuf.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 GDK_PIXBUF_VERSION_MAJOR = 2.36
-GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).10
+GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).12
 GDK_PIXBUF_SOURCE = gdk-pixbuf-$(GDK_PIXBUF_VERSION).tar.xz
 GDK_PIXBUF_SITE = http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/$(GDK_PIXBUF_VERSION_MAJOR)
 GDK_PIXBUF_LICENSE = LGPL-2.0+
-- 
2.27.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/gdk-pixbuf: security bump to version 2.36.12
  2020-08-11 10:12 [Buildroot] [PATCH 1/1] package/gdk-pixbuf: security bump to version 2.36.12 Fabrice Fontaine
@ 2020-08-12 14:45 ` Thomas Petazzoni
  2020-08-28 15:57 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2020-08-12 14:45 UTC (permalink / raw)
  To: buildroot

On Tue, 11 Aug 2020 12:12:13 +0200
Fabrice Fontaine via buildroot <buildroot@busybox.net> wrote:

> - Fix CVE-2017-6312: Integer overflow in io-ico.c in gdk-pixbuf allows
>   context-dependent attackers to cause a denial of service (segmentation
>   fault and application crash) via a crafted image entry offset in an
>   ICO file, which triggers an out-of-bounds read, related to compiler
>   optimizations.
> - Fix CVE-2017-6313: Integer underflow in the load_resources function in
>   io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a
>   denial of service (out-of-bounds read and program crash) via a crafted
>   image entry size in an ICO file.
> - Fix CVE-2017-6314: The make_available_at_least function in io-tiff.c
>   in gdk-pixbuf allows context-dependent attackers to cause a denial of
>   service (infinite loop) via a large TIFF file.
> 
> Also update indentation in hash file (two spaces)
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/gdk-pixbuf/gdk-pixbuf.hash | 6 +++---
>  package/gdk-pixbuf/gdk-pixbuf.mk   | 2 +-
>  2 files changed, 4 insertions(+), 4 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/gdk-pixbuf: security bump to version 2.36.12
  2020-08-11 10:12 [Buildroot] [PATCH 1/1] package/gdk-pixbuf: security bump to version 2.36.12 Fabrice Fontaine
  2020-08-12 14:45 ` Thomas Petazzoni
@ 2020-08-28 15:57 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-08-28 15:57 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine via buildroot <buildroot@busybox.net> writes:

 > - Fix CVE-2017-6312: Integer overflow in io-ico.c in gdk-pixbuf allows
 >   context-dependent attackers to cause a denial of service (segmentation
 >   fault and application crash) via a crafted image entry offset in an
 >   ICO file, which triggers an out-of-bounds read, related to compiler
 >   optimizations.
 > - Fix CVE-2017-6313: Integer underflow in the load_resources function in
 >   io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a
 >   denial of service (out-of-bounds read and program crash) via a crafted
 >   image entry size in an ICO file.
 > - Fix CVE-2017-6314: The make_available_at_least function in io-tiff.c
 >   in gdk-pixbuf allows context-dependent attackers to cause a denial of
 >   service (infinite loop) via a large TIFF file.

 > Also update indentation in hash file (two spaces)

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2020.02.x and 2020.05.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-08-28 15:57 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-11 10:12 [Buildroot] [PATCH 1/1] package/gdk-pixbuf: security bump to version 2.36.12 Fabrice Fontaine
2020-08-12 14:45 ` Thomas Petazzoni
2020-08-28 15:57 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.