CVE-2021-44648
published 2022-01-12CVE-2021-44648: GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.89%
77.0th percentile
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | gdk-pixbuf | < gdk-pixbuf 2.42.9+dfsg-1 (bookworm) | gdk-pixbuf 2.42.9+dfsg-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| gnome | gdk-pixbuf | >= 0 < 2.42.2+dfsg-1+deb11u1 | 2.42.2+dfsg-1+deb11u1 |
| gnome | gdk-pixbuf | >= 0 < 2.42.9+dfsg-1 | 2.42.9+dfsg-1 |
| gnome | gdk-pixbuf | >= 0 < 2.42.9+dfsg-1 | 2.42.9+dfsg-1 |
| gnome | gdk-pixbuf | >= 0 < 2.42.9+dfsg-1 | 2.42.9+dfsg-1 |
| gnome | gdkpixbuf | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GDK-PixBuf vulnerability
vendor_ubuntu·2022-09-13
CVE-2021-44648 GDK-PixBuf vulnerability
Title: GDK-PixBuf vulnerability
Summary: GDK-PixBuf could be made do execute arbitrary code or
crash if it received a specially crafted image.
It was discovered that GDK-PixBuf incorrectly handled certain images.
An attacker could possibly use this issue to execute arbitrary code
or cause a crash.
Instructions: After a standard system update you need to restart your session to make all
the necessary changes.
Red Hat
gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data
vendor_redhat·2022-01-12·CVSS 8.8
CVE-2021-44648 [HIGH] CWE-125 gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data
gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
A flaw was found in gdk-pixbuf. The vulnerability occurs due to the index overwriting in the lzw_decoder_new function, leading to a heap buffer overflow. This flaw allows an attacker to input a specially crafted GIF file, leading to a crash or code execution.
Package: gdk-pixbuf2 (Red Hat Enterprise Linux 6) - Not affected
Package: gdk-pixbuf2 (Red Hat Enterprise Linux 7) - Not affected
Package: gdk-pixbuf2 (Red Hat Enterprise Linux 8) - Not affected
Debian
CVE-2021-44648: gdk-pixbuf - GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability wh...
vendor_debian·2021·CVSS 8.8
CVE-2021-44648 [HIGH] CVE-2021-44648: gdk-pixbuf - GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability wh...
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
Scope: local
bookworm: resolved (fixed in 2.42.9+dfsg-1)
bullseye: resolved (fixed in 2.42.2+dfsg-1+deb11u1)
forky: resolved (fixed in 2.42.9+dfsg-1)
sid: resolved (fixed in 2.42.9+dfsg-1)
trixie: resolved (fixed in 2.42.9+dfsg-1)
GHSA
GHSA-hm7g-c3p8-8xwf: GNOME gdk-pixbuf 2
ghsa_unreviewed·2022-02-15
CVE-2021-44648 [HIGH] CWE-787 GHSA-hm7g-c3p8-8xwf: GNOME gdk-pixbuf 2
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
OSV
CVE-2021-44648: GNOME gdk-pixbuf 2
osv·2022-01-12·CVSS 8.8
CVE-2021-44648 [HIGH] CVE-2021-44648: GNOME gdk-pixbuf 2
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/136https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEVTOGIJITK2N5AOOLKKMDIICZDQE6CH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEKBMOO52RXONWKB6ZKKHTVPLF6WC3KF/https://sahildhar.github.io/blogpost/GdkPixbuf-Heap-Buffer-Overflow-in-lzw_decoder_new/https://www.debian.org/security/2022/dsa-5228https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/136https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEVTOGIJITK2N5AOOLKKMDIICZDQE6CH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEKBMOO52RXONWKB6ZKKHTVPLF6WC3KF/https://sahildhar.github.io/blogpost/GdkPixbuf-Heap-Buffer-Overflow-in-lzw_decoder_new/https://www.debian.org/security/2022/dsa-5228
2022-01-12
Published