1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202407-04 ] Pixman: Heap Buffer Overflow

    From glsamaker@gentoo.org@21:1/5 to All on Mon Jul 1 08:20:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202407-04
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: Pixman: Heap Buffer Overflow
    Date: July 01, 2024
    Bugs: #879207
    ID: 202407-04

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Pixman, which can lead to a heap
    buffer overflow.

    Background
    ==========

    Pixman is a pixel manipulation library.

    Affected packages
    =================

    Package Vulnerable Unaffected
    --------------- ------------ ------------
    x11-libs/pixman < 0.42.2 >= 0.42.2

    Description
    ===========

    A vulnerability has been discovered in Pixman. Please review the CVE identifiers referenced below for details.

    Impact
    ======

    An out-of-bounds write (aka heap-based buffer overflow) in
    rasterize_edges_8 can occur due to an integer overflow in pixman_sample_floor_y.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Pixman users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=x11-libs/pixman-0.42.2"

    References
    ==========

    [ 1 ] CVE-2022-44638
    https://nvd.nist.gov/vuln/detail/CVE-2022-44638

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202407-04

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmaCRSkACgkQFMQkOaVy +9kWVA//VfBTUhbdV2tPB2E83khcmeyQRPExGB4bjjKxbYcPmzl9ylUsCSURquKw hjg7GzUkKO7gtiAxY91vRS52IKQfKg2wC81K+xxoKpzy/Ah4Q9zsTiGmABuXPGIX UJfDCXqYNxZauVht5v2Dr4Y5+19SVM+AG9+mVwqXuicRMWdYi0qCBjGqqd4iTzeh iQtOBBNthlb2Ek7+wAriiWnYi43AaBKfHg9sMJHa0KjyWB1hW/kOvLOsfMJefkhI v4Stj0VMWt+sfSPuyPTERUxjAewKb51dKe+rq28ZzJbATfSiVSJaZur4Yankr+/k 5q+dni6F7McGY6DqK0NY0QI/1t3SMqICZvA8/4JV6PrXipjmFsjQvMQRA//JakEb bT1lbppcQj/NN2/ZenRN4Q7xyN/NRnXaXCyiiVPjYn83JsuL9ZlaXODrQV//p6Wx K4UXaZa1q7zXlwnVUjrn/0Ir6A13/GIld1EURZsu9Im+zPnCQSQutU3+tcothypX V80He8mtokeD8D3o9x4BWEyoUFksDNGrZ2OQKxT/Va/uSttAWuD+kES63bZt68W5 zPfD2e9CPVmudAnrdxnb3RJ7qDybP73FZBx0j6IFDHoaASduchRYU8UH6rldaqBd 4Rnn4cp1M7hQSmCRwGTnB+Hsh2Y/9PxPynipNihhEiwuA3yBrKM=
    =D1p0
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)