CVE-2017-12447
published 2019-03-07CVE-2017-12447: GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption)…
PriorityP428high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EPSS
1.15%
62.8th percentile
GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gdk-pixbuf | < gdk-pixbuf 2.34.0-1 (bookworm) | gdk-pixbuf 2.34.0-1 (bookworm) |
| gnome | gdk-pixbuf | — | — |
| gnome | gdk-pixbuf | >= 0 < 2.34.0-1 | 2.34.0-1 |
| gnome | gdk-pixbuf | >= 0 < 2.34.0-1 | 2.34.0-1 |
| gnome | gdk-pixbuf | >= 0 < 2.34.0-1 | 2.34.0-1 |
| gnome | gdk-pixbuf | >= 0 < 2.34.0-1 | 2.34.0-1 |
| gnome | nautilus | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GDK-PixBuf vulnerability
vendor_ubuntu·2019-03-20
CVE-2017-12447 GDK-PixBuf vulnerability
Title: GDK-PixBuf vulnerability
Summary: GDK-PixBuf could be made to crash or run programs as your login if it
opened a specially crafted file.
It was discovered that the GDK-PixBuf library did not properly handle
certain BMP images. If an user or automated system were tricked into
opening a specially crafted BMP file, a remote attacker could use this flaw
to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Instructions: After a standard system update you need to restart your session to make
all the necessary changes.
Red Hat
gdk-pixbuf: heap-based overflow caused by invalid palette size
vendor_redhat·2017-08-08·CVSS 7.8
CVE-2017-12447 [HIGH] CWE-400 gdk-pixbuf: heap-based overflow caused by invalid palette size
gdk-pixbuf: heap-based overflow caused by invalid palette size
GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
Statement: This issue did not affect the versions of gdk-pixbuf2 as shipped with Red Hat Enterprise Linux 6 and 7.
This issue affects the versions of gdk-pixbuf as shipped with Red Hat Enterprise Linux 5.
Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/err
Debian
CVE-2017-12447: gdk-pixbuf - GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on...
vendor_debian·2017·CVSS 7.8
CVE-2017-12447 [HIGH] CVE-2017-12447: gdk-pixbuf - GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on...
GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
Scope: local
bookworm: resolved (fixed in 2.34.0-1)
bullseye: resolved (fixed in 2.34.0-1)
forky: resolved (fixed in 2.34.0-1)
sid: resolved (fixed in 2.34.0-1)
trixie: resolved (fixed in 2.34.0-1)
GHSA
GHSA-5737-crgv-prwm: GdkPixBuf (aka gdk-pixbuf), possibly 2
ghsa_unreviewed·2022-05-14
CVE-2017-12447 [HIGH] CWE-119 GHSA-5737-crgv-prwm: GdkPixBuf (aka gdk-pixbuf), possibly 2
GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
OSV
CVE-2017-12447: GdkPixBuf (aka gdk-pixbuf), possibly 2
osv·2019-03-07·CVSS 7.8
CVE-2017-12447 [HIGH] CVE-2017-12447: GdkPixBuf (aka gdk-pixbuf), possibly 2
GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-12447 gdk-pixbuf2: gdk-pixbuf: heap-based overflow caused by invalid palette size [fedora-all]
bugzilla·2019-03-08·CVSS 7.8
CVE-2017-12447 [HIGH] CVE-2017-12447 gdk-pixbuf2: gdk-pixbuf: heap-based overflow caused by invalid palette size [fedora-all]
CVE-2017-12447 gdk-pixbuf2: gdk-pixbuf: heap-based overflow caused by invalid palette size [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2017-12447 gdk-pixbuf: heap-based overflow caused by invalid palette size
bugzilla·2019-03-08·CVSS 7.8
CVE-2017-12447 [HIGH] CVE-2017-12447 gdk-pixbuf: heap-based overflow caused by invalid palette size
CVE-2017-12447 gdk-pixbuf: heap-based overflow caused by invalid palette size
GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
Reference:
https://bugzilla.gnome.org/show_bug.cgi?id=785979
https://github.com/hackerlib/hackerlib-vul/tree/master/gnome
Discussion:
Created gdk-pixbuf2 tracking bugs for this issue:
Affects: fedora-all [bug 1686830]
Created mingw-gdk-pixbuf tracking bugs for this issue:
Affects: fedora-all [bug 1686831]
---
Created mingw-gdk-pixbuf tracking bugs for this issue:
Affects: epel-7 [bug 1686832]
---
I believe this has been fixed by https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/b7bf6fbfb310fc
Bugzilla
CVE-2017-12447 mingw-gdk-pixbuf: gdk-pixbuf: heap-based overflow caused by invalid palette size [fedora-all]
bugzilla·2019-03-08·CVSS 7.8
CVE-2017-12447 [HIGH] CVE-2017-12447 mingw-gdk-pixbuf: gdk-pixbuf: heap-based overflow caused by invalid palette size [fedora-all]
CVE-2017-12447 mingw-gdk-pixbuf: gdk-pixbuf: heap-based overflow caused by invalid palette size [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2017-12447 mingw-gdk-pixbuf: gdk-pixbuf: heap-based overflow caused by invalid palette size [epel-7]
bugzilla·2019-03-08·CVSS 7.8
CVE-2017-12447 [HIGH] CVE-2017-12447 mingw-gdk-pixbuf: gdk-pixbuf: heap-based overflow caused by invalid palette size [epel-7]
CVE-2017-12447 mingw-gdk-pixbuf: gdk-pixbuf: heap-based overflow caused by invalid palette size [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the followin
2019-03-07
Published