[Bug 19702] CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code

bugzilla-daemon at bugzilla.ubuntu.com bugzilla-daemon at bugzilla.ubuntu.com
Thu Dec 15 17:32:27 UTC 2005 

Please do not reply to this email.  You can add comments at
http://bugzilla.ubuntu.com/show_bug.cgi?id=19702
Ubuntu | gtk+2.0





------- Additional Comments From debzilla at ubuntu.com  2005-12-15 17:32 UTC -------
Message-Id: <E1EmwGE-0001jL-EE at spohr.debian.org>
Date: Thu, 15 Dec 2005 08:47:18 -0800
From: Sebastien Bacher <seb128 at debian.org>
To: 339431-close at bugs.debian.org
Subject: Bug#339431: fixed in gtk+2.0 2.8.9-2

Source: gtk+2.0
Source-Version: 2.8.9-2

We believe that the bug you reported is fixed in the latest version of
gtk+2.0, which is due to be installed in the Debian FTP archive:

gtk+2.0_2.8.9-2.diff.gz
  to pool/main/g/gtk+2.0/gtk+2.0_2.8.9-2.diff.gz
gtk+2.0_2.8.9-2.dsc
  to pool/main/g/gtk+2.0/gtk+2.0_2.8.9-2.dsc
gtk2-engines-pixbuf_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/gtk2-engines-pixbuf_2.8.9-2_i386.deb
gtk2.0-examples_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/gtk2.0-examples_2.8.9-2_i386.deb
libgtk2.0-0-dbg_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-0-dbg_2.8.9-2_i386.deb
libgtk2.0-0_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-0_2.8.9-2_i386.deb
libgtk2.0-bin_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-bin_2.8.9-2_i386.deb
libgtk2.0-common_2.8.9-2_all.deb
  to pool/main/g/gtk+2.0/libgtk2.0-common_2.8.9-2_all.deb
libgtk2.0-dev_2.8.9-2_i386.deb
  to pool/main/g/gtk+2.0/libgtk2.0-dev_2.8.9-2_i386.deb
libgtk2.0-doc_2.8.9-2_all.deb
  to pool/main/g/gtk+2.0/libgtk2.0-doc_2.8.9-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 339431 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Bacher <seb128 at debian.org> (supplier of updated gtk+2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Dec 2005 15:13:32 +0100
Source: gtk+2.0
Binary: libgtk2.0-dev libgtk2.0-0-dbg gtk2-engines-pixbuf libgtk2.0-0 libgtk2.0-doc gtk2.0-examples libgtk2.0-bin libgtk2.0-common
Architecture: source i386 all
Version: 2.8.9-2
Distribution: unstable
Urgency: low
Maintainer: Sebastien Bacher <seb128 at debian.org>
Changed-By: Sebastien Bacher <seb128 at debian.org>
Description: 
 gtk2-engines-pixbuf - Pixbuf-based theme for GTK+ 2.x
 gtk2.0-examples - Examples files for the GTK+ 2.0
 libgtk2.0-0 - The GTK+ graphical user interface library
 libgtk2.0-0-dbg - The GTK+ libraries and debugging symbols
 libgtk2.0-bin - The programs for the GTK+ graphical user interface library
 libgtk2.0-common - Common files for the GTK+ graphical user interface library
 libgtk2.0-dev - Development files for the GTK+ library
 libgtk2.0-doc - Documentation for the GTK+ graphical user interface library
Closes: 323080 323209 323705 339431
Changes: 
 gtk+2.0 (2.8.9-2) unstable; urgency=low
 .
   * Upload to unstable
 .
 gtk+2.0 (2.8.9-1) experimental; urgency=low
 .
   * New upstream version:
     Bugs fixed:
     - File chooser filter behaves weird
     - 2.8.4 to 2.8.6: sound-juicer crash, fileselector assertions
     - On unsetting the Model, GtkTreeView does not clear
       it's associated TreeSelection
     - Crash on selecting a file of null mime-type
     - gtktoolbutton leaks a pixbuf
     - GdkEvent leaked in gtktreeview.c / gtk_tree_view_key_press
     - Typo in trap_activate_cb()
     - gtkcalendar.c: The identifier is already declared.
     - gtk_menu_attach_to_widget() does not take NULL detacher
     - Unhinted fonts are measured incorrectly and drawing
       problems occur as a result
     - unwanted scrolling in recent gtk
     - Toolbars without icons are invisible in icon-only mode
     - Search-entry in the TreeView not working properly
     - gtktoolbutton.c:562: warning: 'image' is used
       uninitialized in this function
     - reference count of textbuffer increases with each paste
     - gtk_selection_data_get_uris leaks memory
     Other changes:
     - Remove GMemChunk from public header files to
       support building against GLib 2.10
     - Report errors in option parsing
     - Merge upstream xdgmime changes to handle duplicate glob patterns
 .
 gtk+2.0 (2.8.8-1) experimental; urgency=low
 .
   * New upstream version:
     GtkFileChooser:
      - Make F2 work for renaming bookmarks
     GtkEntry:
      - Turn off input methods in password entries
     - Other fixes * Documentation improvements
     - Updated translations
 .
 gtk+2.0 (2.8.7-1) experimental; urgency=low
 .
   * New upstream version.
   * Security fixes:
     - Add check to XPM reader to prevent integer overflow for specially crafted
       number of colors (CVE-2005-3186) (Closes: #339431).
     - Fix endless loop with specially crafted number of colors (CVE-2005-2975).
   * debian/patches/001_fs_documents.patch:
     - updated.
   * debian/rules:
     - fix confusing cp usage.
 .
   [ Loic Minier ]
   * Drop xlibs-dev deps and build-deps.
     [debian/control, debian/control.in]
 .
 gtk+2.0 (2.8.3-1) experimental; urgency=low
 .
   * New upstream version:
     - Fix problems with the handling of initial settings
       for font options and cursor themes.
     - Add a --ignore-theme-index option to gtk-update-icon-cache.
 .
 gtk+2.0 (2.8.2-1) experimental; urgency=low
 .
   * New upstream version:
     - Fix a crash with custom icon themes, which affected
       the gnome-theme-manager.
     - Make sure font and cursor settings are propaged down
       to the screen initially.
   * debian/control.in:
     - require the current pango.
 .
 gtk+2.0 (2.8.1-1) experimental; urgency=low
 .
   * New upstream version:
     - gtk-update-icon-cache no longer stores copies of symlinked icons,
       and it has a --index-only option to omit image data from the cache.
     - Make large GtkSizeGroups more efficient.
     - Improve positioning of menus in GtkToolbar.
     - Make scrolling work on unrealized icon views.
     - Avoid unnecessary redraws on range widgets.
     - Make sure that all GTK+ applications reload icon themes promptly.
     - Ensure that gdk_pango_get_context() and gtk_widget_get_pango_context()
       use the same font options and dpi value.
     - Multiple memory leak fixes.
   * debian/control.in:
     - updated the libgtk2.0-dev Depends according to the changes.
   * debian/rules:
     Add --enable-explicit-deps=yes to make sure stuff like x11 gets listed as a
     Requires: in gdk(-x11)-2.0.pc, because otherwise linkage against -lX11 and
     friends doesn't get carried through.  Whether or not this is correct is
     arguable, since libgdk-x11-2.0.so.0* ends up linked against it anyway, but
     stuff like gnome-panel seems to be relying on this transience.
     Change by Daniel Stone.
 .
 gtk+2.0 (2.8.0-1) experimental; urgency=low
 .
   * New upstream version.
   * debian/control.in:
     - build with the new cairo (Closes: #323705).
     - updated the Build-Depends for xorg (Closes: #323080).
   * debian/copyright:
     - use License instead of Copyright (Closes: #323209).
   * debian/patches/001_fs_documents.patch:
     - default to Documents.
   * debian/rules:
     - updated the shlibs.
   * debian/watch:
     - updated.
 .
 gtk+2.0 (2.7.2-1) experimental; urgency=low
 .
   * New upstream version.
   * debian/control.in:
     - updated the Build-Depends.
   * debian/rules:
     - updated the shlibs.
     - use cairo.
   * debian/watch:
     - updated.
Files: 
 1168f708b3152ef02fa14c5e9e7e666d 2127 libs optional gtk+2.0_2.8.9-2.dsc
 da7344154109ae591fae0a4193259719 48698 libs optional gtk+2.0_2.8.9-2.diff.gz
 5d8775aba46b7812667d5a22100ccebd 3447862 misc optional libgtk2.0-common_2.8.9-2_all.deb
 1212947f20296d9feea1fe696c838f55 2460724 doc optional libgtk2.0-doc_2.8.9-2_all.deb
 af7362ba651f8621f61abb335678d7b7 2080400 libs optional libgtk2.0-0_2.8.9-2_i386.deb
 e51684ba22ce62e57e151a3093115768 21528 misc optional libgtk2.0-bin_2.8.9-2_i386.deb
 4afc4ca44ee5005c6cc669f648eb64fe 2260522 libdevel optional libgtk2.0-dev_2.8.9-2_i386.deb
 c5dd3fa6f667869273db4c18bdfc55ce 3638590 libdevel extra libgtk2.0-0-dbg_2.8.9-2_i386.deb
 6750ab997828faceabefbdbc674caa42 275066 x11 extra gtk2.0-examples_2.8.9-2_i386.deb
 a506ee85575a6a5d1f6265ea67833538 56048 graphics optional gtk2-engines-pixbuf_2.8.9-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDoYzVQxo87aLX0pIRAj9/AKDC/eJuPN1peJoLpVgiQ4t43G5nXgCgge3R
KQFgscNEmA4Q4yPDNmpCGPk=
=Umy5
-----END PGP SIGNATURE-----





-- 
Configure bugmail: http://bugzilla.ubuntu.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the desktop-bugs mailing list