Package: gdk-pixbuf / 2.26.1-1+deb7u3

Metadata

Package Version Patches format
gdk-pixbuf 2.26.1-1+deb7u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2015 4491.patch | (download)

gdk-pixbuf/pixops/pixops.c | 22 17 + 5 - 0 !
1 file changed, 17 insertions(+), 5 deletions(-)

 pixops: be more careful about integer overflow

Our loader code is supposed to handle out-of-memory and overflow
situations gracefully, reporting errors instead of aborting. But
if you load an image at a specific size, we also execute our
scaling code, which was not careful enough about overflow in some
places.

This commit makes the scaling code silently return if it fails to
allocate filter tables. This is the best we can do, since
gdk_pixbuf_scale() is not taking a GError.

https://bugzilla.gnome.org/show_bug.cgi?id=752297

CVE 2015 4491 2.patch | (download)

gdk-pixbuf/pixops/pixops.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] pixops: fix oversight for cve-2015-4491

The n_x variable could be made large enough to overflow, too.

Also included are various testcases for this vulnerability:
- The original exploit (adapted for the testsuite)
- Causing overflow by making both X and Y variables large
- Causing overflow using only the X variable
- Causing overflow using only the Y variable

https://bugzilla.gnome.org/show_bug.cgi?id=752297

CVE 2015 7673/0001 pixops Fail make_weights functions on OOM.patch | (download)

gdk-pixbuf/pixops/pixops.c | 75 55 + 20 - 0 !
1 file changed, 55 insertions(+), 20 deletions(-)

 [patch] pixops: fail make_weights functions on oom

The weights could grow very large under certain circumstances, in
particular in security-relevant conditions, including the testsuite.
By allowing the weight allocation to fail, this can be worked around.

https://bugzilla.gnome.org/show_bug.cgi?id=754387

CVE 2015 7673/0002 tga Wrap TGAColormap struct in its own API.patch | (download)

gdk-pixbuf/io-tga.c | 124 82 + 42 - 0 !
1 file changed, 82 insertions(+), 42 deletions(-)

 [patch] tga: wrap tgacolormap struct in its own api

Instead of poking into it directly.

CVE 2015 7673/0003 io tga Colormaps are always present so always parse .patch | (download)

gdk-pixbuf/io-tga.c | 14 3 + 11 - 0 !
1 file changed, 3 insertions(+), 11 deletions(-)

 [patch] io-tga: colormaps are always present, so always parse them.

We might end up with a colormap with 0 entries, but whatever, it's a
colormap.

CVE 2015 7674/0001 pixops Don t overflow variables when shifting them.patch | (download)

gdk-pixbuf/pixops/pixops.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 [patch] pixops: don't overflow variables when shifting them

If we shift by 16 bits we need to be sure those 16 bits actually exist.
They do now.