On Fri, Jun 14, 2024 at 5:18 PM Salvatore Bonaccorso <car...@debian.org> wrote: > > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: gdk-pix...@packages.debian.org, Simon McVittie > <s...@debian.org>, car...@debian.org > Control: affects -1 + src:gdk-pixbuf > User: release.debian....@packages.debian.org > Usertags: pu > > Hi stable release managers, CC'ing Simon, > > [ Reason ] > gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via > crafted .ani files, cf. #1071265. > > [ Impact ] > At least denial of service but potentially as well arbitrary code > execution. But we have classified in no-dsa and it does not warrant a > DSA on its own. > > [ Tests ] > Manual test against the poc in the upstream issue > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 . > > [ Risks ] > Isolated changes, and the fix has been exposed in sid and trixie. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > Three commits cherry-picked from upstream: > > * ANI: Reject files with multiple anih chunks (CVE-2022-48622) > (Closes: #1071265) > * ANI: Reject files with multiple INAM or IART chunks > * ANI: Validate anih chunk size > > The two other commits are not for CVE-2022-48622 but additional > hardening and fixing changes related to the ANI code. > > Simon, ideally we should do as well the fixup in bullseye, but I have > not looked at that version yet.
Salvatore, I pushed commits a few days ago to the debian/bookworm and debian/bullseye branches of https://salsa.debian.org/gnome-team/gdk-pixbuf based directly on similar work that had been done by Ubuntu Security but I hadn't made time to do further testing and reach out to Debian Security. Do you want to use those versions or the version you have prepared now? Thank you, Jeremy Bícha
