Arch Linux alert ASA-202012-20 (lib32-gdk-pixbuf2)

From:
             
 
Morten Linderud <foxboron@archlinux.org>
To:
             
 
arch-security@archlinux.org
Subject:
             
 
[ASA-202012-20] lib32-gdk-pixbuf2: denial of service
Date:
             
 
Thu, 17 Dec 2020 20:23:48 +0100
Message-ID:
             
 
<20201217192348.5pwvbqmu7hrgratu@anathema>
Arch Linux Security Advisory ASA-202012-20
==========================================

Severity: Medium
Date    : 2020-12-09
CVE-ID  : CVE-2020-29385
Package : lib32-gdk-pixbuf2
Type    : denial of service
Remote  : No
Link    : https://security.archlinux.org/AVG-1329

Summary
=======

The package lib32-gdk-pixbuf2 before version 2.42.2-1 is vulnerable to
denial of service.

Resolution
==========

Upgrade to 2.42.2-1.

# pacman -Syu "lib32-gdk-pixbuf2>=2.42.2-1"

The problem has been fixed upstream in version 2.42.2.

Workaround
==========

None.

Description
===========

A security issue was found in gdk-pixbuf2 2.40.0 up to 2.42.0. A
malformed GIF image could lead to an endless loop in the write_indexes
function in gdk-pixbuf/lzw.c, taking full CPU resources and leading to
a denial of service.

Impact
======

An attacker might be able to cause a denial of service via a crafted
GIF image.

References
==========

https://mail.gnome.org/archives/distributor-list/2020-Dec...
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
https://gitlab.gnome.org/GNOME/gdk-pixbuf/uploads/2838c96...
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_request...
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3ac...
https://security.archlinux.org/CVE-2020-29385