USN-3085-1 GDK-PixBuf vulnerabilities

Severity

Medium

Vendor

Canonical Ubuntu, gdk-pixbuf

Versions Affected

• Canonical Ubuntu 14.04 LTS

Description

It was discovered that the GDK-PixBuf library did not properly handle specially crafted bmp images, leading to a heap-based buffer overflow. If a user or automated system were tricked into opening a specially crafted bmp file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7552)

It was discovered that the GDK-PixBuf library contained an integer overflow when handling certain images. If a user or automated system were tricked into opening a crafted image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8875)

Franco Costantini discovered that the GDK-PixBuf library contained an out-of-bounds write error when parsing an ico file. If a user or automated system were tricked into opening a crafted ico file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service. (CVE-2016-6352)

Affected Products and Versions

Severity is medium unless otherwise noted.

• All versions of Cloud Foundry cflinuxfs2 prior to v.1.82.0

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.82.0 or later versions

Credit

Franco Costantini

References

• https://www.ubuntu.com/usn/usn-3085-1/
• http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7552.html
• http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8875.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6352.html