CVE-2021-20240

NameCVE-2021-20240
DescriptionA flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdk-pixbuf (PTS)stretch (security), stretch2.36.5-2+deb9u2fixed
buster2.38.1+dfsg-1fixed
bullseye, sid2.42.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdk-pixbufsourcestretch(not affected)
gdk-pixbufsourcebuster(not affected)
gdk-pixbufsource(unstable)2.42.2+dfsg-1

Notes

[buster] - gdk-pixbuf <not-affected> (Vulnerable code introduced later)
[stretch] - gdk-pixbuf <not-affected> (Vulnerable code added later)
https://bugzilla.redhat.com/show_bug.cgi?id=1926787
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/132
Vulnerable code introduced in https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4e7b5345d2fc8f0d1dee93d8ba9ab805bc95d42f (2.39.2)
Fixed by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e (2.42.0)

Search for package or bug name: Reporting problems