Bug 991450 (CVE-2016-6352)

Summary: VUL-0: CVE-2016-6352: gdk-pixbuf: Out-of-bounds write in OneLine32() function
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P4 - Low CC: atoptsoglou, meissner, mgorse, security-team, smash_bz, wolfgang.frisch, zaitor
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/171374/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1027024
Whiteboard: maint:released:sle10-sp3:64101 maint:released:sle10-sp3:63413 CVSSv2:SUSE:CVE-2016-6352:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2016-08-01 10:21:35 UTC
Quoting from RH BZ:

A write out-of-bounds parsing an ico file was found in gdk-pixbuf 2.30.7. A maliciously crafted file can cause the application to crash.


Comment 3 Marcus Meissner 2016-08-23 11:42:44 UTC
the code seems in all gdk-pixbuf and gtk2 versions
Comment 9 Bernhard Wiedemann 2016-08-31 18:01:11 UTC
This is an autogenerated message for OBS integration:
This bug (991450) was mentioned in
https://build.opensuse.org/request/show/424071 13.2 / gdk-pixbuf
https://build.opensuse.org/request/show/424072 42.1 / gdk-pixbuf
Comment 11 Swamp Workflow Management 2016-09-09 12:11:10 UTC
openSUSE-SU-2016:2276-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 988745,991450
CVE References: CVE-2016-6352
Sources used:
openSUSE Leap 42.1 (src):    gdk-pixbuf-2.32.3-8.1
openSUSE 13.2 (src):    gdk-pixbuf-2.32.3-9.1
Comment 12 Swamp Workflow Management 2016-10-13 19:09:19 UTC
SUSE-SU-2016:2532-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 966682,988745,991450
CVE References: CVE-2013-7447,CVE-2016-6352
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gtk2-2.18.9-0.44.1
SUSE Linux Enterprise Server 11-SP4 (src):    gtk2-2.18.9-0.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gtk2-2.18.9-0.44.1
Comment 18 Swamp Workflow Management 2018-08-02 14:05:03 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-08-16.
When done, reassign the bug to security-team@suse.de.
Comment 23 Alexandros Toptsoglou 2020-06-30 09:20:00 UTC