Operating System:

[WIN][UNIX/Linux][Debian]

Published:

26 October 2015

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2015.2686 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2686
                        gdk-pixbuf security update
                              26 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           gdk-pixbuf
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-7674 CVE-2015-7673 

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3378

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running gdk-pixbuf check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3378-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 24, 2015                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gdk-pixbuf
CVE ID         : CVE-2015-7673 CVE-2015-7674

Several vulnerabilities have been discovered in gdk-pixbuf, a toolkit
for image loading and pixel buffer manipulation. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2015-7673

    Gustavo Grieco discovered a heap overflow in the processing of TGA
    images which may result in the execution of arbitrary code or denial
    of service (process crash) if a malformed image is opened.

CVE-2015-7674

    Gustavo Grieco discovered an integer overflow flaw in the processing
    of GIF images which may result in the execution of arbitrary code or
    denial of service (process crash) if a malformed image is opened.

For the oldstable distribution (wheezy), these problems have been fixed
in version 2.26.1-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in
version 2.31.1-2+deb8u3.

For the testing distribution (stretch), these problems have been fixed
in version 2.32.1-1 or earlier.

For the unstable distribution (sid), these problems have been fixed in
version 2.32.1-1 or earlier.

We recommend that you upgrade your gdk-pixbuf packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWK+1uAAoJEAVMuPMTQ89EK28P/Rj6Wzv8+M8b++1TGlBtOJIk
TjDm7/+V/j7VGX7yBNqunDbpr9r5+u74IcWhEPUC3+XUBfSbxMb5ykPqFdolKDlm
T1NjGb8enrErfqarBf0lZuSiykM1cc+uz+yx08Rw1XiW/APTCq3CzJTdcO8dBeOZ
Aj65w4qeoghbdyPYWNVaC5abYeng6YSDztBzaq9VROHXPRHPzWWIE+VvJXtViZV9
I0rtgXOHwn2SVrMXKpbD96NDQgIOtT+IefTMu1CR3NWxVZsx7K6yfqR0D6wXRdre
8MtLtbqHPvmavq5wA/IBYkDzNKA79K6FoSiFx3bRDHFvEGV2UI+FtczMsB1U+dX/
wVGR84i7ZzRtqYBjALozwBzUfD0r2SlqiCOevVBqLNTtkH/DfeQrsluhMLvH4ecA
LdafwXz6CtisoeVaUoJ6bO8mLmKS1v2MrqPQsQdJsdnfeZoAjU1jZbU2IBeJEQYr
ObYUZwpdztjO7Ki/Gz535rQ0u30+NZpXn1IwSFh+gevODOv0C0Ajld7ia4RLHCom
HC4TL68eoy2/MJdcM0BTYfYC0qbrdIpBrU56zjQtX7ybb8d8ojswH7iWYfUkNJW7
lJoN8QRjlLEzMb6/UgjPcann72jYie9UEOQySutsrX2mMlQT5vdPlsuii1N5B21H
TTLhaE2DoNUz39sPtqCd
=CY0a
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVi2CU36ZAP0PgtI9AQK+kg//d4CkilUkooTwkJ5AqimoXjOZEVvLpGai
Dnvn2GwmDzo5jR4G9ffOAD+rifmUNCPEswAxfZxLF0RQXqKRXRqzmDE7/tdFwCi+
E23sRNVH+ViCNLhLN2sXOkQ5sHMESfUpsCgxqIzVW4VIqSZ9I0nRYNRBlchbhW0B
o49MfjHeJ1q42L9S0cSqI6OSyMycpP2EWuGtti6m538Bk8V8sME0F0FBF9Uhnq3k
K0Rhd7QTkocMOSqKqI0XZSY3kpDtKJx6PDywHZK7I41087mlSJC61/vrAqNhUzoq
J6q0bxChTEWSHVARDHa9O3OsFEoq6xFbkGMRjhWWNqCVo7bD1NopIByl+voLjcYM
KIISg2dFPdfDc5km6ipJMKUF0WJJq37PYGZzyMRop/Mhx7x5qqV3vCA/6d0nv1u4
dyD7F8ECeSWKx0eZyTdBZJFX4eP8oN8EYrhtAYK7lZOuDfC5ZvUCz+OT5bkGIT3m
cOpMq9wrXeBWoxSMzVP2SVXhEV9rnNr2wHfxbct26eUMeTuirQ+7QVXeJH00RaHg
mGnkWicTYfLknY5jhePXWv6d9rL7B5BVctvHly/Iip4yfMwvTz01MzaZytKH10dj
VEsceKbjgEzioaSEwUTztGsEW4lJWavU47OnPemBr4uveVYU0DN3tMD902TwmoFb
NWxsL4EVYA8=
=2D4M
-----END PGP SIGNATURE-----