USN-2767-1 GDK-Pixbuf library vulnerability

Medium

Vendor

GDK Pixbuf

Versions Affected

• Ubuntu 14.04

Description

Gustavo Grieco discovered that the GDK-PixBuf library did not properly handle scaling tga image files, leading to a heap overflow. If a user or automated system were tricked into opening a tga image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7673)

Gustavo Grieco discovered that the GDK-PixBuf library contained an integer overflow when handling certain GIF images. If a user or automated system were tricked into opening a GIF image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7674)

The Cloud Foundry project released a cflinuxfs2 rootfs stack that has the patched version of OpenSSH.

Affected Products and Versions

_Severity is medium unless otherwise noted.
_

• All versions of Cloud Foundry cflinuxfs2 prior to 1.11.0 have versions of the library vulnerable to USN-2767-1.

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.11.0 or later versions.

Credit

Gustavo Grieco

References

• <http://www.ubuntu.com/usn/usn-2767-1&gt;
• <https://bosh.io/stemcells&gt;
• <https://github.com/cloudfoundry/cf-release&gt;