Headline
RHSA-2023:2216: Red Hat Security Advisory: gdk-pixbuf2 security update
An update for gdk-pixbuf2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-44648: A flaw was found in gdk-pixbuf. The vulnerability occurs due to the index overwriting in the lzw_decoder_new function, leading to a heap buffer overflow. This flaw allows an attacker to input a specially crafted GIF file, leading to a crash or code execution.
- CVE-2021-46829: A heap-based buffer overflow vulnerability was found in GNOME GdkPixbuf (aka GDK-PixBuf) when compositing or clearing frames in GIF files. The vulnerability exists due to a boundary error when processing GIF images. This flaw allows an attacker to create a specially crafted GIF image, trick the victim into opening it, triggering an out-of-bounds write, which allows executing arbitrary code on the target system or causing a potential crash.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-09
Updated:
2023-05-09
RHSA-2023:2216 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: gdk-pixbuf2 security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for gdk-pixbuf2 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The gdk-pixbuf2 packages provide an image loading library that can be extended by loadable modules for new image formats. It is used by toolkits such as GTK+ or clutter.
Security Fix(es):
- gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data (CVE-2021-44648)
- gdk-pixbuf: heap-based buffer overflow when compositing or clearing frames in GIF files (CVE-2021-46829)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2043722 - CVE-2021-44648 gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data
- BZ - 2114940 - CVE-2021-46829 gdk-pixbuf: heap-based buffer overflow when compositing or clearing frames in GIF files
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
gdk-pixbuf2-2.42.6-3.el9.src.rpm
SHA-256: b2d1507f5dddcd2220fe03c5747b2789bbf4f62e8c487d1f1542c733b2d1930c
x86_64
gdk-pixbuf2-2.42.6-3.el9.i686.rpm
SHA-256: 4f565113067561e5112fd5e40b7e012f53a8ba4072d7c0f07e1009f4e8b5d72b
gdk-pixbuf2-2.42.6-3.el9.x86_64.rpm
SHA-256: d2cdfd0beb1b3a428f6816d88e20cab265b11f204658845a9f8be0d5710033f0
gdk-pixbuf2-debuginfo-2.42.6-3.el9.i686.rpm
SHA-256: 868444da334ed05973d1287a9707196ab72081e9102ac539f97ba51c82b9b785
gdk-pixbuf2-debuginfo-2.42.6-3.el9.x86_64.rpm
SHA-256: 35c2951761e783e92ea2bd69ad09d1711cbeab03308de119ce70275949c0565f
gdk-pixbuf2-debugsource-2.42.6-3.el9.i686.rpm
SHA-256: ee3a61f98ec28ebd34642478a563ec6d641d28224aba7b720a13387bb2015118
gdk-pixbuf2-debugsource-2.42.6-3.el9.x86_64.rpm
SHA-256: e506b10faf7e7f4d25dd11db851a08f3fb6ab41ae1ec29cf4198e01f6519f27b
gdk-pixbuf2-devel-2.42.6-3.el9.i686.rpm
SHA-256: f732a531b8a322cf518ff64815747360da8c22833121ae86dea795b9d3d5ee5a
gdk-pixbuf2-devel-2.42.6-3.el9.x86_64.rpm
SHA-256: 1d51d134724ec0d02c48d9b9382846236bde5c1890deac78b7fea1c0df74b7f6
gdk-pixbuf2-devel-debuginfo-2.42.6-3.el9.i686.rpm
SHA-256: 23910f9d9096a277c25eb3f68c14555c97fac1d3ed0d7076fb6b0358aa2d0761
gdk-pixbuf2-devel-debuginfo-2.42.6-3.el9.x86_64.rpm
SHA-256: c3014bb427414714cc24ffc6b38eddf520ccf9c89740c08a9eb324520f8c9ca6
gdk-pixbuf2-modules-2.42.6-3.el9.i686.rpm
SHA-256: e88dff1664ec71f15fe3148d0c60f5eb83dd5c5aa4e220e8ce9ea376a442e566
gdk-pixbuf2-modules-2.42.6-3.el9.x86_64.rpm
SHA-256: f76942f8fc004ee56dc53ac9c7b37a618de31bbe0d3a13d5c93a1fd49e1457b3
gdk-pixbuf2-modules-debuginfo-2.42.6-3.el9.i686.rpm
SHA-256: f98726e10c006dacf3de8a4d306d38df305c6d4d25bad9b3b06660465f0f219c
gdk-pixbuf2-modules-debuginfo-2.42.6-3.el9.x86_64.rpm
SHA-256: b2e0d51753a26d4a0ad0a0527a23430d57c045dfd180715a5befb509ab162716
gdk-pixbuf2-tests-debuginfo-2.42.6-3.el9.i686.rpm
SHA-256: 73cdd9203a38aa3f270d4f6c1ae65c7291db6eb821327dd8420d60d45d713fc8
gdk-pixbuf2-tests-debuginfo-2.42.6-3.el9.x86_64.rpm
SHA-256: b203a09accc1e5adc28f99bf4a892bd5027c3bfde476c2f8ad4d00266f235fa7
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
gdk-pixbuf2-2.42.6-3.el9.src.rpm
SHA-256: b2d1507f5dddcd2220fe03c5747b2789bbf4f62e8c487d1f1542c733b2d1930c
s390x
gdk-pixbuf2-2.42.6-3.el9.s390x.rpm
SHA-256: a57df45cd88dd98334a6873beea7b81d31e0aba880842fe1dd94e7b03760f32e
gdk-pixbuf2-debuginfo-2.42.6-3.el9.s390x.rpm
SHA-256: 3a8ef950a78fd9ccec90c8334ee137c6c5fc0d470941e2d946d15873af111ab9
gdk-pixbuf2-debugsource-2.42.6-3.el9.s390x.rpm
SHA-256: af66db72d5269b3bbd79655ed08ec8d53c92311f03d6b795e0d86d17b6dfbb60
gdk-pixbuf2-devel-2.42.6-3.el9.s390x.rpm
SHA-256: 95485696dd19cdfaa5a271684ee844d9eab6f0cdb5e657302738dc1a25172bb4
gdk-pixbuf2-devel-debuginfo-2.42.6-3.el9.s390x.rpm
SHA-256: 2c30117c74fa33a698bf0696168172343f6138f2b263eb38c98ea25ca74b03b9
gdk-pixbuf2-modules-2.42.6-3.el9.s390x.rpm
SHA-256: 570bd5a54787e850e1a455f3fdf230c73031424d1bb3f49157dff2de9c9b5f69
gdk-pixbuf2-modules-debuginfo-2.42.6-3.el9.s390x.rpm
SHA-256: 9ab5bc4d2e493d3183c4ea504404d5ce3f08378e074951917a67ea1d19a676c5
gdk-pixbuf2-tests-debuginfo-2.42.6-3.el9.s390x.rpm
SHA-256: 78bf2255619cbee3932e539ac33315954ecf35ff32de7d5215427315f16fd49e
Red Hat Enterprise Linux for Power, little endian 9
SRPM
gdk-pixbuf2-2.42.6-3.el9.src.rpm
SHA-256: b2d1507f5dddcd2220fe03c5747b2789bbf4f62e8c487d1f1542c733b2d1930c
ppc64le
gdk-pixbuf2-2.42.6-3.el9.ppc64le.rpm
SHA-256: 017ec336df39d20d2fa0f96ba55a5114185a85c4f3936580f4e8526839e52cb2
gdk-pixbuf2-debuginfo-2.42.6-3.el9.ppc64le.rpm
SHA-256: 18aea7496cdfb8f8c664c01a4f9bf4657d989e41526062ef4aab053d75e77403
gdk-pixbuf2-debugsource-2.42.6-3.el9.ppc64le.rpm
SHA-256: 18f40ea851d02d6c8386fd03dd310561e8f59cc6443700b539f477110985f22f
gdk-pixbuf2-devel-2.42.6-3.el9.ppc64le.rpm
SHA-256: 24e30a83e74b171900b7b686a43ee6b0ee079d16e9f5b893b5b6a029befbfeaa
gdk-pixbuf2-devel-debuginfo-2.42.6-3.el9.ppc64le.rpm
SHA-256: 6c40ab318688f6032e32f458c1fe30322b37e50c78852260b8b53084d8f4148e
gdk-pixbuf2-modules-2.42.6-3.el9.ppc64le.rpm
SHA-256: 9bc2441856a5b3fd950eaadb8b8ac2ebd9cb3838d9f4340f4d030e00468e8670
gdk-pixbuf2-modules-debuginfo-2.42.6-3.el9.ppc64le.rpm
SHA-256: 0c93d0cfff11fb78b033f3f08c6cacbf6158643040ee5b311941a1bf7366db69
gdk-pixbuf2-tests-debuginfo-2.42.6-3.el9.ppc64le.rpm
SHA-256: 2e5f20769ebef0fbd143c7522becc1521cf4718bf3dfe01ea0d4c322859e305c
Red Hat Enterprise Linux for ARM 64 9
SRPM
gdk-pixbuf2-2.42.6-3.el9.src.rpm
SHA-256: b2d1507f5dddcd2220fe03c5747b2789bbf4f62e8c487d1f1542c733b2d1930c
aarch64
gdk-pixbuf2-2.42.6-3.el9.aarch64.rpm
SHA-256: a381459427ac1c9fb8b1b6727a9db6ab7712a320e248a87567553dca09901e2e
gdk-pixbuf2-debuginfo-2.42.6-3.el9.aarch64.rpm
SHA-256: 6de2dec28d696a0640603c0333a59f7b6ed5c7ca8e8d3fd2c71e3a04067a4952
gdk-pixbuf2-debugsource-2.42.6-3.el9.aarch64.rpm
SHA-256: 9955a5abd021ec14f74ad2df785efb3e57200e5fbb7d95479ab7c5f5fe2c5ff2
gdk-pixbuf2-devel-2.42.6-3.el9.aarch64.rpm
SHA-256: a08993f4c2801c65629d039d6d8dc333ae819c9e9f2f2a424a46b65f77fd2806
gdk-pixbuf2-devel-debuginfo-2.42.6-3.el9.aarch64.rpm
SHA-256: 827cc32bbdb02db60e95d7f959db2d80f566dcea2e69a651acf7a124d9db5833
gdk-pixbuf2-modules-2.42.6-3.el9.aarch64.rpm
SHA-256: ed3fc5f61609492a6332d4c01059369bc7017eb5f8c5ca41851a326cb97f3c97
gdk-pixbuf2-modules-debuginfo-2.42.6-3.el9.aarch64.rpm
SHA-256: dfcf54927133319470aafc0180be672b7b70321cad40210b500d76a8a00d10e8
gdk-pixbuf2-tests-debuginfo-2.42.6-3.el9.aarch64.rpm
SHA-256: bf5a2bc2acf35acebf92646bc0eeecff30d72c909e8d0ba9fc9ad7818ebdfebc
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 5607-1 - It was discovered that GDK-PixBuf incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code or cause a crash.
Ubuntu Security Notice 5554-1 - Pedro Ribeiro discovered that the GDK-PixBuf library did not properly handle certain GIF images. If an user or automated system were tricked into opening a specially crafted GIF file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code.
GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.