Your submission was sent successfully! Close

CVE-2016-6352

Published: 27 July 2016

The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
gdk-pixbuf
Launchpad, Ubuntu, Debian
precise Does not exist
(precise was not-affected)
trusty Does not exist
(trusty was released [2.30.7-0ubuntu1.6])
upstream Needs triage

wily Ignored
(reached end-of-life)
xenial
Released (2.32.2-1ubuntu1.2)
yakkety Not vulnerable

zesty Not vulnerable

Notes

AuthorNote
sbeattie
gdk-pixbuf report notes that this may not be necessary
for precise, as the reproducer doesn't crash with 2.26. Also,
patch does not apply cleanly to precise's 2.26.1 version.

References

Bugs