USN-3085-1 GDK-PixBuf vulnerabilities


Severity

Medium

Vendor

Canonical Ubuntu, gdk-pixbuf

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

It was discovered that the GDK-PixBuf library did not properly handle specially crafted bmp images, leading to a heap-based buffer overflow. If a user or automated system were tricked into opening a specially crafted bmp file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7552)

It was discovered that the GDK-PixBuf library contained an integer overflow when handling certain images. If a user or automated system were tricked into opening a crafted image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8875)

Franco Costantini discovered that the GDK-PixBuf library contained an out-of-bounds write error when parsing an ico file. If a user or automated system were tricked into opening a crafted ico file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service. (CVE-2016-6352)

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.82.0
  • PCF Elastic Runtime versions prior to 1.6.41 and 1.7.x versions prior to 1.7.23 and 1.8.x versions prior to 1.8.3
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.82.0 or later versions
  • Upgrade PCF Elastic Runtime to 1.6.41 or 1.7.x versions to 1.7.23 or 1.8.x versions to 1.8.3
Credit

Franco Costantini

References