Bugzilla – Bug 1201826
VUL-0: CVE-2021-46829: gdk-pixbuf: Heap buffer overflow in gdk-pixbuf
Last modified: 2022-12-20 11:25:34 UTC
CVE-2021-46829 GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46829 https://seclists.org/oss-sec/2022/q3/69 https://www.openwall.com/lists/oss-security/2022/07/23/1 https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46829 http://www.cvedetails.com/cve/CVE-2021-46829/ https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121 https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bca00032ad68d0b0aa2c1f7558db931e52bd9cd2 https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512 https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190
Affected: - SUSE:SLE-15-SP2:Update/gdk-pixbuf 2.40.0 - SUSE:SLE-15-SP4:Update/gdk-pixbuf 2.42.6 Not affected (does not contain composite_frame): - SUSE:SLE-11-SP2:Update/gtk2 2.18.9 - SUSE:SLE-12-SP2:Update/gtk2 2.24.31 - SUSE:SLE-15-SP2:Update/gtk2 2.24.32+67 - SUSE:SLE-15-SP4:Update/gtk2 2.24.33 - SUSE:SLE-15:Update/gtk2 2.24.32 - openSUSE:Factory/gtk2 2.24.33 - SUSE:SLE-12-SP2:Update/gdk-pixbuf 2.34.0 - SUSE:SLE-15:Update/gdk-pixbuf 2.36.11 Not affected (already contains the fix): - openSUSE:Factory/gdk-pixbuf 2.42.8
SUSE-SU-2022:2995-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1201826 CVE References: CVE-2021-46829 JIRA References: Sources used: openSUSE Leap 15.4 (src): gdk-pixbuf-2.42.8-150400.5.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): gdk-pixbuf-2.42.8-150400.5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2996-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1201826 CVE References: CVE-2021-46829 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): gdk-pixbuf-2.40.0-150200.3.6.1 openSUSE Leap 15.3 (src): gdk-pixbuf-2.40.0-150200.3.6.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): gdk-pixbuf-2.40.0-150200.3.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): gdk-pixbuf-2.40.0-150200.3.6.1 SUSE Linux Enterprise Micro 5.2 (src): gdk-pixbuf-2.40.0-150200.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Cleaning up GNOME CVE backlog. The fix has been submitted and accepted. Assign back to security team.
done