Subject: [ASA-202012-19] gdk-pixbuf2: denial of service Arch Linux Security Advisory ASA-202012-19 ========================================== Severity: Medium Date : 2020-12-09 CVE-ID : CVE-2020-29385 Package : gdk-pixbuf2 Type : denial of service Remote : No Link : https://security.archlinux.org/AVG-1328 Summary ======= The package gdk-pixbuf2 before version 2.42.2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.42.2-1. # pacman -Syu "gdk-pixbuf2>=2.42.2-1" The problem has been fixed upstream in version 2.42.2. Workaround ========== None. Description =========== A security issue was found in gdk-pixbuf2 2.40.0 up to 2.42.0. A malformed GIF image could lead to an endless loop in the write_indexes function in gdk-pixbuf/lzw.c, taking full CPU resources and leading to a denial of service. Impact ====== An attacker might be able to cause a denial of service via a crafted GIF image. References ========== https://mail.gnome.org/archives/distributor-list/2020-December/msg00000.html https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164 https://gitlab.gnome.org/GNOME/gdk-pixbuf/uploads/2838c96bb111a93d845b95c53b8953e3/gif_lzw_PoC.tar.gz https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/92 https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 https://security.archlinux.org/CVE-2020-29385