Arch Linux Security Advisory ASA-201510-6 ========================================= Severity: Medium Date : 2015-10-10 CVE-ID : CVE-2015-7673 CVE-2015-7674 Package : gdk-pixbuf2 Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package gdk-pixbuf2 before version 2.32.1-1 is vulnerable to denial of service and heap buffer overflow. Resolution ========== Upgrade to 2.32.1-1. # pacman -Syu "gdk-pixbuf2>=2.32.1-1" The problems have been fixed upstream in version 2.32.1. Workaround ========== None. Description =========== - CVE-2015-7673 (denial of service) It has been discovered that under certain circumstances while scaling a tga file a heap memory allocation may fail which is later used and leads to a denial of service. - CVE-2015-7673 (heap buffer overflow) It has been discovered that under certain circumstances while scaling a gif file a heap buffer overflow can occur. The cause of this issue was that the integer data type was incompatible with the details of how bitwise shifts were used. Impact ====== A remote attacker is able to use specially crafted tga or gif files to perform a denial of service attack or take advantage of a heap buffer overflow to possibly have other impact. References ========== https://access.redhat.com/security/cve/CVE-2015-7673 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7674 http://seclists.org/oss-sec/2015/q4/18 http://seclists.org/oss-sec/2015/q4/19