CVE-2017-2862

NameCVE-2017-2862
DescriptionAn exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1100-1, DSA-3978-1
NVD severitymedium (attack range: remote)
Debian Bugs874552

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdk-pixbuf (PTS)wheezy2.26.1-1+deb7u3vulnerable
wheezy (security)2.26.1-1+deb7u6fixed
jessie2.31.1-2+deb8u5vulnerable
jessie (security)2.31.1-2+deb8u6fixed
stretch (security), stretch2.36.5-2+deb9u1fixed
buster, sid2.36.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdk-pixbufsource(unstable)2.36.10-1medium874552
gdk-pixbufsourcejessie2.31.1-2+deb8u6mediumDSA-3978-1
gdk-pixbufsourcestretch2.36.5-2+deb9u1mediumDSA-3978-1
gdk-pixbufsourcewheezy2.26.1-1+deb7u6mediumDLA-1100-1

Notes

https://git.gnome.org/browse/gdk-pixbuf/commit/?id=c2a40a92fe3df4111ed9da51fe3368c079b86926
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6dd89e126a277460faafc1f679db44ccf78446fb
https://bugzilla.gnome.org/show_bug.cgi?id=784866
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366

Search for package or bug name: Reporting problems