CVE-2017-2862

NameCVE-2017-2862
DescriptionAn exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1100-1, DSA-3978-1
NVD severitymedium
Debian Bugs874552

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdk-pixbuf (PTS)stretch (security), stretch2.36.5-2+deb9u2fixed
buster2.38.1+dfsg-1fixed
bullseye2.42.2+dfsg-1fixed
bookworm, sid2.42.6+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdk-pixbufsourcewheezy2.26.1-1+deb7u6DLA-1100-1
gdk-pixbufsourcejessie2.31.1-2+deb8u6DSA-3978-1
gdk-pixbufsourcestretch2.36.5-2+deb9u1DSA-3978-1
gdk-pixbufsource(unstable)2.36.10-1874552

Notes

https://git.gnome.org/browse/gdk-pixbuf/commit/?id=c2a40a92fe3df4111ed9da51fe3368c079b86926
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6dd89e126a277460faafc1f679db44ccf78446fb
https://bugzilla.gnome.org/show_bug.cgi?id=784866
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366

Search for package or bug name: Reporting problems