Your message dated Tue, 16 Aug 2022 20:51:34 +0200
with message-id <[email protected]>
and subject line Re: Accepted gdk-pixbuf 2.42.9+dfsg-1 (source) into unstable
has caused the Debian Bug report #1014600,
regarding gdk-pixbuf: CVE-2021-44648
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014600: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014600
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gdk-pixbuf
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for gdk-pixbuf.
CVE-2021-44648[0]:
| GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow
| vulnerability when decoding the lzw compressed stream of image data in
| GIF files with lzw minimum code size equals to 12.
https://sahildhar.github.io/blogpost/GdkPixbuf-Heap-Buffer-Overflow-in-lzw_decoder_new/
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/136
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-44648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44648
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: gdk-pixbuf
Source-Version: 2.42.9+dfsg-1
This fixes as well CVE-2021-44648. Closing accordingly.
On Tue, Aug 16, 2022 at 12:37:30PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Tue, 16 Aug 2022 11:20:11 +0100
> Source: gdk-pixbuf
> Architecture: source
> Version: 2.42.9+dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian GNOME Maintainers
> <[email protected]>
> Changed-By: Simon McVittie <[email protected]>
> Changes:
> gdk-pixbuf (2.42.9+dfsg-1) unstable; urgency=medium
> .
> * New upstream release
> * d/rules, d/control.in: Build-depend on python3-docutils for man pages.
> We no longer need docbook DTDs or stylesheets. We still need xsltproc,
> but only if we're building the udeb.
> * d/watch: Update options
> * d/changelog: Remove trailing whitespace
> * d/copyright: Stop excluding gi-docgen, no longer in upstream tarballs
> * d/copyright: Exclude prebuilt documentation when importing tarball
> * debian/patches/debian_queryloader_dir.patch:
> Format patch metadata for gbp pq
> * d/p/tests-Tolerate-either-CORRUPT_IMAGE-or-INSUFFICIENT_MEMOR.patch:
> Add patch to work around test failures with very large JPEG.
> Be less demanding about the exact error behaviour, but instead just
> require there to be an error.
> Checksums-Sha1:
> 64a0ad09e298dd2e1b4e1f600c5b66a745865b2d 3256 gdk-pixbuf_2.42.9+dfsg-1.dsc
> 2a1252adbc2194a67b5dea4b995896ec1c64b15a 6439956
> gdk-pixbuf_2.42.9+dfsg.orig.tar.xz
> 31bc4c0d65acac06c25ba0cf62bdaa1990fd2426 20892
> gdk-pixbuf_2.42.9+dfsg-1.debian.tar.xz
> 41f185639d060e8ea725e12708f35ca95d7be304 8210
> gdk-pixbuf_2.42.9+dfsg-1_source.buildinfo
> Checksums-Sha256:
> 3e9362abb43dc2a36a397307b466b80993190ee31ae41411408281a4ee669239 3256
> gdk-pixbuf_2.42.9+dfsg-1.dsc
> c3a7d8647869f02149da427bbf75c056f924075ff1ed870ac56ac70af7d20ce7 6439956
> gdk-pixbuf_2.42.9+dfsg.orig.tar.xz
> 85920d85eaed79ba6c7f38cb6f18ec14dfd1af2576432538316e0b3e6a1e4834 20892
> gdk-pixbuf_2.42.9+dfsg-1.debian.tar.xz
> b51e1d7c428c59ddc132780730565c98e3bd20cc89bb125c2ce929f477d4568c 8210
> gdk-pixbuf_2.42.9+dfsg-1_source.buildinfo
> Files:
> 30fa46c1819ffe6ac185d4aa7e43b5b2 3256 libs optional
> gdk-pixbuf_2.42.9+dfsg-1.dsc
> cacc7f82fe97e01ad51f6ec42a8f672b 6439956 libs optional
> gdk-pixbuf_2.42.9+dfsg.orig.tar.xz
> 80d11b93626639447ea8746e08d813f1 20892 libs optional
> gdk-pixbuf_2.42.9+dfsg-1.debian.tar.xz
> bfec3d7d9c2989edaf64723cc9228fe3 8210 libs optional
> gdk-pixbuf_2.42.9+dfsg-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmL7gYQACgkQ4FrhR4+B
> TE9Ewg//WskVg0My1aF8ZxPxkJMryk6WW+KUCduhmjPYkIJTJQcEA0IRdlLLhHzd
> zucozqwjREwm6bvOEyz+BUoWf4bOg7qh/KXJV/oroqb0/NGgAM2WWeBoqJh9+2Bc
> Rth6Y57+w1vCntOm8Ms5MgEG4BE33gfcaCqMpSfPL2W1HAPle1saB0PfqqHLHDQ4
> k/12ZAteai5rLUPUNsyoUEp2UU0jUtBWGtJaSHbACtcqv/F5KAEygr4pJmRi8F4j
> JZvrXHnz0lFfYYv9PcdyWwmp0Z8yge7wmunNOeWkseoHaY/dMxcSfmvHmO2/oXup
> U4IgFSU9etgyrOYf4Ob83sN9ehVRo4Crw5GrVvQibLC/wHwjlaQk5SDIDlcl9Kcg
> 2m7mUGY7LqKpAD1u+1Q8pip1kK3y98kS37bqmAwfTVJ3tpipDy/IcB+VG5xVDtXi
> FPvOfrdUZnYI68ECabJ1ZJOnwoh/Os0HEj4mz6/YlvXF7Q1Eosz+JcYvebR0Y3le
> SYvQs5WWD+53lOljurAL2nOzK+hrhrZTFiPhWPMZcT8zevdIsr7VuETgc5y9QFiP
> SDJX5zKY0M5BrpSoaZ/eGwkfFF2RCgiHfCqgPy9TRvxqksMbMaI23gyL6OhS2znV
> fDL69IqE8tPuy67B7T1HFfIILYxvSfMuw+bCSq4vfwF3NrcIj9A=
> =PXcN
> -----END PGP SIGNATURE-----
>
--- End Message ---
