USN-2767-1 GDK-Pixbuf library vulnerability


Severity

Medium

Vendor

GDK Pixbuf

Versions Affected
  • Ubuntu 14.04
Description

Gustavo Grieco discovered that the GDK-PixBuf library did not properly handle scaling tga image files, leading to a heap overflow. If a user or automated system were tricked into opening a tga image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7673)

Gustavo Grieco discovered that the GDK-PixBuf library contained an integer overflow when handling certain GIF images. If a user or automated system were tricked into opening a GIF image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7674)

The Cloud Foundry project released a cflinuxfs2 rootfs stack that has the patched version of OpenSSH.

Pivotal is releasing an updated version of Pivotal Cloud Foundry Suite which references this patched BOSH stemcell and patched rootfs stack.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • All versions of Cloud Foundry cflinuxfs2 prior to 1.11.0 have versions of the library vulnerable to USN-2767-1.
  • Pivotal Cloud Foundry Elastic Runtime pre-1.5.7 versions and version 1.6.0 are vulnerable.
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.11.0 or later versions.
  • Pivotal recommends that customers upgrade to the 1.5.7 or later 1.5.x versions or the 1.6.1 or later 1.6.x versions of Pivotal Cloud Foundry Elastic Runtime
Credit

Gustavo Grieco

References