Bugzilla – Bug 1182410
VUL-0: CVE-2021-20240: gdk-pixbuf: integer wraparound in the GIF loader
Last modified: 2022-01-13 15:45:45 UTC
CVE-2021-20240 An integer wraparound bug was found in the GIF loader of gdk-pixbuf. Given a crafted input, it will abort with a segmentation fault. Reference: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/132 References: https://bugzilla.redhat.com/show_bug.cgi?id=1926787 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20240 https://access.redhat.com/security/cve/CVE-2021-20240
The issue seems to have been introduced in version 2.39.2 in commit [1] and fixed in version 2.42 with commits [2]. Instructions for POC at the upstream issue at [3]. Tracked as affected only SLE15-SP2. Factory already ships a fixed version. [1] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4e7b5345d2fc8f0d1dee93d8ba9ab805bc95d42f [2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e [3]https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/132
Looks like already fixed by @zcjia in https://bugzilla.suse.com/show_bug.cgi?id=1174307?
Assign back because patch already here