Source: gdk-pixbuf Version: 2.38.1+dfsg-1 Severity: important Tags: security upstream fixed-upstream patch X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Control: fixed -1 2.42.12+dfsg-1
gdk-pixbuf has a memory corruption vulnerability leading to at least denial of service, and possibly arbitrary code execution, when a user loads a crafted ANI file (a Windows animated cursor) into a gdk-pixbuf-based image viewer, thumbnailer, etc. A mitigation is that the gdk-pixbuf-based thumbnailer used in GNOME is sandboxed using bubblewrap. This was fixed upstream in 2.42.12 by <https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/172> (specifically the first commit "ANI: Reject files with multiple anih chunks", but applying the other two commits would be a good idea IMO). I uploaded 2.42.12 as a team upload from a "maintainer of last resort" point of view, but I seem to have become a single point of failure for too many libraries already, so I would prefer not to be the only one who ever uploads gdk-pixbuf. For stable updates, an uploader could either apply the security fixes as patches, or do a 2.42.12+dfsg-0+deb12u1. If doing the latter, beware that the new upstream release disables support for several file formats by default (including .ani but also more common formats like .bmp) which would be a disruptive change as discussed upstream in https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/169, so building with -Dothers=enabled would probably be necessary. smcv