Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2015-8875

Published: 1 June 2016

Multiple integer overflows in the (1) pixops_composite_nearest, (2) pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.

Notes

AuthorNote
sbeattie
in their wheezy update, debian identified this fix as
CVE-2015-7674-part2.patch (in 2.26.1-1+deb7u4).

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package Release Status
gdk-pixbuf
Launchpad, Ubuntu, Debian
precise
Released (2.26.1-1ubuntu1.5)
trusty
Released (2.30.7-0ubuntu1.6)
upstream
Released (2.32.2, 2.34.0)
wily Ignored
(end of life)
xenial Not vulnerable
(2.32.2-1ubuntu1)
yakkety Not vulnerable
(2.34.0-1ubuntu1)
zesty Not vulnerable
(2.34.0-1ubuntu1)
Patches:
upstream: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H