|
|
Subscribe / Log in / New account

Arch Linux alert ASA-201611-12 (lib32-gdk-pixbuf2)



From:
    	      Levente Polyak <anthraxx@archlinux.org> 


To:
    	      arch-security@archlinux.org 


Subject:
    	      [arch-security] [ASA-201611-12] lib32-gdk-pixbuf2: arbitrary code execution 


Date:
    	      Thu, 3 Nov 2016 18:29:28 +0100


Message-ID:
    	      <2c068bad-8704-0117-fee7-df8681531cbd@archlinux.org>


Arch Linux Security Advisory ASA-201611-12
==========================================

Severity: Critical
Date    : 2016-11-03
CVE-ID  : CVE-2016-6352
Package : lib32-gdk-pixbuf2
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package lib32-gdk-pixbuf2 before version 2.36.0+2+ga7c869a-1 is
vulnerable to arbitrary code execution.

Resolution
==========

Upgrade to 2.36.0+2+ga7c869a-1.

# pacman -Syu "lib32-gdk-pixbuf2>=2.36.0+2+ga7c869a-1"

The problem has been fixed upstream in version 2.35.3.

Workaround
==========

None.

Description
===========

An out-of-bounds write has been discovered in the OneLine32() function
while parsing an ico file. A maliciously crafted file can cause the
application to crash or possibly execute arbitrary code.

Impact
======

A remote attacker is able to use a specially crafted ico file that,
when loaded, is leading to arbitrary code execution.

References
==========

https://bugzilla.redhat.com/show_bug.cgi?id=1349751
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=88af50...
https://access.redhat.com/security/cve/CVE-2016-6352
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds