---

Fedora Core Advisories: gdk-pixbuf, gtk2


Fedora Update Notification
FEDORA-2004-286
2004-09-15


Product : Fedora Core 1
Name : gdk-pixbuf
Version : 0.22.0
Release : 11.2.2
Summary : An image loading library used with GNOME.

Description :
The gdk-pixbuf package contains an image loading library used with
the GNOME GUI desktop environment. The GdkPixBuf library provides
image loading facilities, the rendering of a GdkPixBuf into various
formats (drawables or GdkRGB buffers), and a cache interface.


Update Information:

During testing of a previously fixed flaw in Qt (CAN-2004-0691),
a flaw was
discovered in the BMP image processor of gdk-pixbuf. An attacker
could create a carefully crafted BMP file which would cause an
application to enter an infinite loop and not respond to user input
when the file was
opened by a victim. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0753 to this issue.

During a security audit, Chris Evans discovered a stack and a
heap overflow
in the XPM image decoder. An attacker could create a carefully
crafted XPM
file which could cause an application linked with gtk2 to crash or
possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder.
An attacker could create a carefully crafted ICO file which could
cause an
application linked with gtk2 to crash when the file is opened by a
victim.
(CAN-2004-0788)


  • Fri Sep 03 2004 Matthias Clasen <mclasen@redhat.com> –
    1:0.22.0-11.2.2

    • Rebuild for FC1
  • Fri Sep 03 2004 Matthias Clasen <mclasen@redhat.com> –
    1:0.22.0-11.1.3

    • Rebuild for RHEL3
  • Fri Sep 03 2004 Matthias Clasen <mclasen@redhat.com> –
    1:0.22.0-11.1.2E

    • Fix issues in the xpm and ico loaders found by Chris Evans
      (#130711)
  • Fri Aug 20 2004 Owen Taylor <otaylor@redhat.com> –
    1:0.22.0-10.0.2E

    • Fix problem with infinite loop on bad BMP data (#130455, test
      BMP from Chris Evans, fix from Manish Singh)
  • Sun Aug 15 2004 Tim Waugh <twaugh@redhat.com> 1:0.22.0-9
    • Fixed underquoted m4 definition.
  • Mon Jun 21 2004 Matthias Clasen <mclasen@redhat.com>
    • Make build
  • Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Fri Mar 05 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.0.3

    • Include /usr/lib/*.la for AS2.1
  • Fri Mar 05 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.0.2E

    • Add some additional defines to work with 2.1AS
  • Thu Mar 04 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.1.1

    • Bump and rebuild
  • Thu Mar 04 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.1.0

    • Redo package to build without libtool-1.5 patch
  • Wed Mar 03 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.0.0

    • Add a couple of bug-fixes backported from GTK+-2.x
  • Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Thu Aug 28 2003 Owen Taylor <otaylor@redhat.com> 1:0.22.0-4.0
    • Rebuild for RHEL

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

19315b68f5108834ded2239186fc1983
SRPMS/gdk-pixbuf-0.22.0-11.2.2.src.rpm
1e2e3afb3290bbb1f4bd14eec8d16f90
x86_64/gdk-pixbuf-0.22.0-11.2.2.x86_64.rpm
2e96329747230323c2f2583f3cbd4764
x86_64/gdk-pixbuf-devel-0.22.0-11.2.2.x86_64.rpm
39d0264223d1f0e29b6ddd1f0c04809a
x86_64/gdk-pixbuf-gnome-0.22.0-11.2.2.x86_64.rpm
556265762760faffa27cf09a368e9c55
x86_64/debug/gdk-pixbuf-debuginfo-0.22.0-11.2.2.x86_64.rpm
ee240507ab220388cd0b37ccdb59b63d
i386/gdk-pixbuf-0.22.0-11.2.2.i386.rpm
0f445a5b5745edf4e6de74742ea4bd46
i386/gdk-pixbuf-devel-0.22.0-11.2.2.i386.rpm
874699ea4c8ba8d5d2a9b467016ffc0a
i386/gdk-pixbuf-gnome-0.22.0-11.2.2.i386.rpm
bf148083099de37ab7332b2422d3331f
i386/debug/gdk-pixbuf-debuginfo-0.22.0-11.2.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.



Fedora Update Notification
FEDORA-2004-287
2004-09-15


Product : Fedora Core 2
Name : gdk-pixbuf
Version : 0.22.0
Release : 11.2.3
Summary : An image loading library used with GNOME.

Description :
The gdk-pixbuf package contains an image loading library used with
the GNOME GUI desktop environment. The GdkPixBuf library provides
image loading facilities, the rendering of a GdkPixBuf into various
formats (drawables or GdkRGB buffers), and a cache interface.


Update Information:

During testing of a previously fixed flaw in Qt (CAN-2004-0691),
a flaw was
discovered in the BMP image processor of gdk-pixbuf. An attacker
could create a carefully crafted BMP file which would cause an
application to enter an infinite loop and not respond to user input
when the file was
opened by a victim. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0753 to this issue.

During a security audit, Chris Evans discovered a stack and a
heap overflow
in the XPM image decoder. An attacker could create a carefully
crafted XPM
file which could cause an application linked with gtk2 to crash or
possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder.
An attacker could create a carefully crafted ICO file which could
cause an
application linked with gtk2 to crash when the file is opened by a
victim.
(CAN-2004-0788)


  • Tue Sep 07 2004 Matthias Clasen <mclasen@redhat.com> –
    1:0.22.0-11.2.3

    • Rebuild for FC2
  • Fri Sep 03 2004 Matthias Clasen <mclasen@redhat.com> –
    1:0.22.0-11.2.2

    • Rebuild for FC1
  • Fri Sep 03 2004 Matthias Clasen <mclasen@redhat.com> –
    1:0.22.0-11.1.3

    • Rebuild for RHEL3
  • Fri Sep 03 2004 Matthias Clasen <mclasen@redhat.com> –
    1:0.22.0-11.1.2E

    • Fix issues in the xpm and ico loaders found by Chris Evans
      (#130711)
  • Fri Aug 20 2004 Owen Taylor <otaylor@redhat.com> –
    1:0.22.0-10.0.2E

    • Fix problem with infinite loop on bad BMP data (#130455, test
      BMP from Chris Evans, fix from Manish Singh)
  • Sun Aug 15 2004 Tim Waugh <twaugh@redhat.com> 1:0.22.0-9
    • Fixed underquoted m4 definition.
  • Mon Jun 21 2004 Matthias Clasen <mclasen@redhat.com>
    • Make build
  • Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Fri Mar 05 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.0.3

    • Include /usr/lib/*.la for AS2.1
  • Fri Mar 05 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.0.2E

    • Add some additional defines to work with 2.1AS
  • Thu Mar 04 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.1.1

    • Bump and rebuild
  • Thu Mar 04 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.1.0

    • Redo package to build without libtool-1.5 patch
  • Wed Mar 03 2004 Owen Taylor <otaylor@redhat.com>
    1:0.22.0-6.0.0

    • Add a couple of bug-fixes backported from GTK+-2.x

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

df423014919ec5696f889ac6f4787746
SRPMS/gdk-pixbuf-0.22.0-11.2.3.src.rpm
b0c43651dc3ce287199500dfcc2f0587
x86_64/gdk-pixbuf-0.22.0-11.2.3.x86_64.rpm
7e7fc5ed5415290c782869c4b4891cbf
x86_64/gdk-pixbuf-devel-0.22.0-11.2.3.x86_64.rpm
144f31eb04ea373b7e03c7c0478956e9
x86_64/gdk-pixbuf-gnome-0.22.0-11.2.3.x86_64.rpm
3eab7a99d72773cc58f9ae76020170d7
x86_64/debug/gdk-pixbuf-debuginfo-0.22.0-11.2.3.x86_64.rpm
7191295371d1375fa214aae40ed552ad
i386/gdk-pixbuf-0.22.0-11.2.3.i386.rpm
1312362346782b79454397d5116c3401
i386/gdk-pixbuf-devel-0.22.0-11.2.3.i386.rpm
26640728f906fbc08f11302aea0c551d
i386/gdk-pixbuf-gnome-0.22.0-11.2.3.i386.rpm
5e6d6f574976df72d29a33e19e178aaa
i386/debug/gdk-pixbuf-debuginfo-0.22.0-11.2.3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.



Fedora Update Notification
FEDORA-2004-288
2004-09-15


Product : Fedora Core 1
Name : gtk2
Version : 2.2.4
Release : 10
Summary : The GIMP ToolKit (GTK+), a library for creating GUIs
for

X.
Description :
GTK+ is a multi-platform toolkit for creating graphical user
interfaces. Offering a complete set of widgets, GTK+ is suitable
for projects ranging from small one-off tools to complete
application suites.


Update Information:

During testing of a previously fixed flaw in Qt (CAN-2004-0691),
a flaw was
discovered in the BMP image processor of gtk2. An attacker could
create a
carefully crafted BMP file which would cause an application to
enter an infinite loop and not respond to user input when the file
was opened by a
victim. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a
heap overflow
in the XPM image decoder. An attacker could create a carefully
crafted XPM
file which could cause an application linked with gtk2 to crash or
possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder.
An attacker could create a carefully crafted ICO file which could
cause an
application linked with gtk2 to crash when the file was opened by a
victim.
(CAN-2004-0788)


  • Fri Sep 03 2004 Matthias Clasen <mclasen@redhat.com> – 2.2.4-10
    • Fix issues in the xpm and ico loaders found by Chris Evans
      (#130711)
  • Fri Aug 20 2004 Owen Taylor <otaylor@redhat.com> – 2.2.4-7.1
    • Fix problem with infinite loop on bad BMP data (#130450, test
      BMP from Chris Evans, fix from Manish Singh)

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

d4ae88a59943ed19fb84c197b3800a43 SRPMS/gtk2-2.2.4-10.src.rpm
cc87e91fff48e744beda9e0f3cbb9d22
x86_64/gtk2-2.2.4-10.x86_64.rpm
eb595b4bd917e25abf6e7730bedcf5e0
x86_64/gtk2-devel-2.2.4-10.x86_64.rpm
85d64ebbf05e414c69d05195fc213704
x86_64/debug/gtk2-debuginfo-2.2.4-10.x86_64.rpm
04c0745cf4dde875344ed93ab38dae8a x86_64/gtk2-2.2.4-10.i386.rpm
04c0745cf4dde875344ed93ab38dae8a i386/gtk2-2.2.4-10.i386.rpm
d66eac1eb88431474a089dee707eb0fc
i386/gtk2-devel-2.2.4-10.i386.rpm
3d7cf237b8c83d0de2cc74c3c4060567
i386/debug/gtk2-debuginfo-2.2.4-10.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.



Fedora Update Notification
FEDORA-2004-289
2004-09-15


Product : Fedora Core 2
Name : gtk2
Version : 2.4.7
Release : 2.4
Summary : The GIMP ToolKit (GTK+), a library for creating GUIs
for

X.
Description :
GTK+ is a multi-platform toolkit for creating graphical user
interfaces. Offering a complete set of widgets, GTK+ is suitable
for projects ranging from small one-off tools to complete
application suites.


Update Information:

During testing of a previously fixed flaw in Qt (CAN-2004-0691),
a flaw was
discovered in the BMP image processor of gtk2. An attacker could
create a
carefully crafted BMP file which would cause an application to
enter an infinite loop and not respond to user input when the file
was opened by a
victim. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a
heap overflow
in the XPM image decoder. An attacker could create a carefully
crafted XPM
file which could cause an application linked with gtk2 to crash or
possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder.
An attacker could create a carefully crafted ICO file which could
cause an
application linked with gtk2 to crash when the file was opened by a
victim.
(CAN-2004-0788)


  • Tue Sep 07 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.7-2.4
    • Fix issues in the xpm and ico loaders found by Chris Evans
      (#130711)
  • Fri Aug 20 2004 Owen Taylor <otaylor@redhat.com> – 2.4.7-2.2
    • Fix problem with infinite loop on bad BMP data (#130450, test
      BMP from Chris Evans, fix from Manish Singh)
  • Sat Aug 14 2004 Matthias Clasen <mclasen@redhat.com> 2.4.7-1
    • update to 2.4.7
  • Fri Aug 13 2004 Matthias Clasen <mclasen@redhat.com> 2.4.6-1
    • update to 2.4.6
    • call libtoolize –force to win .so’s back…
  • Fri Jul 30 2004 Jonathan Blandford <jrb@redhat.com> 2.4.4-4
    • add typeahead patch to GtkTreeView
    • automake-1.9
  • Tue Jul 27 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.4-3
    • Use -64 suffix on powerpc64. (#128605)
  • Fri Jul 16 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.4-2
    • Fix permissions of gdk-pixbuf-csource script.
    • Escape macros in %changelog
  • Fri Jul 09 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.4-1
    • Update to 2.4.4
  • Thu Jul 08 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.1-5
    • Look for the gtk.immodules file in the right location.
      (#127073)
  • Thu Jul 08 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.1-4
    • Add a wrapper for gdk-pixbuf-csource.
  • Wed Jun 23 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.1-3
    • Don’t install testgtk and testtext
    • Rename binaries to -32/-64 (#124478)
    • Move arch-dependent config files to /etc/gtk-2.0/$host
      (#124482)
    • Add wrappers for updating the arch-dependent config files
  • Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Thu May 20 2004 Matthias Clasen <mclasen@redhat.com> – 2.4.1-1
    • Upgrade to 2.4.1

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

75a86a6d678f76a2f6238a992463005f
SRPMS/gtk2-2.4.7-2.4.src.rpm
f6923be90c1621e83a19df610213ff12
x86_64/gtk2-2.4.7-2.4.x86_64.rpm
e46b3ea2a153749dcf6d5cdf38603ea6
x86_64/gtk2-devel-2.4.7-2.4.x86_64.rpm
81f2cf32b341d60fa766e638624a201c
x86_64/debug/gtk2-debuginfo-2.4.7-2.4.x86_64.rpm
b659bb38815921f415c45790d2c4b1c6 x86_64/gtk2-2.4.7-2.4.i386.rpm
b659bb38815921f415c45790d2c4b1c6 i386/gtk2-2.4.7-2.4.i386.rpm
9d38f480c8ccb6857fc6cbdb322ac073
i386/gtk2-devel-2.4.7-2.4.i386.rpm
5099d6ef8357b99e90e9fa2fd9c28695
i386/debug/gtk2-debuginfo-2.4.7-2.4.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.


Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis