[ASA-202012-20] lib32-gdk-pixbuf2: denial of service
Morten Linderud
foxboron at archlinux.org
Thu Dec 17 19:23:48 UTC 2020
Arch Linux Security Advisory ASA-202012-20
==========================================
Severity: Medium
Date : 2020-12-09
CVE-ID : CVE-2020-29385
Package : lib32-gdk-pixbuf2
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-1329
Summary
=======
The package lib32-gdk-pixbuf2 before version 2.42.2-1 is vulnerable to
denial of service.
Resolution
==========
Upgrade to 2.42.2-1.
# pacman -Syu "lib32-gdk-pixbuf2>=2.42.2-1"
The problem has been fixed upstream in version 2.42.2.
Workaround
==========
None.
Description
===========
A security issue was found in gdk-pixbuf2 2.40.0 up to 2.42.0. A
malformed GIF image could lead to an endless loop in the write_indexes
function in gdk-pixbuf/lzw.c, taking full CPU resources and leading to
a denial of service.
Impact
======
An attacker might be able to cause a denial of service via a crafted
GIF image.
References
==========
https://mail.gnome.org/archives/distributor-list/2020-December/msg00000.html
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
https://gitlab.gnome.org/GNOME/gdk-pixbuf/uploads/2838c96bb111a93d845b95c53b8953e3/gif_lzw_PoC.tar.gz
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/92
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81
https://security.archlinux.org/CVE-2020-29385
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20201217/be0dd8cc/attachment.sig>
More information about the arch-security
mailing list