https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Bug ID: 1311882 Summary: CVE-2014-9766 pixman: integer overflow in create_bits function Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: ajax@redhat.com, alonbl@redhat.com, bmcclain@redhat.com, cfergeau@redhat.com, dblechte@redhat.com, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, gklein@redhat.com, lsurette@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, ogabbay@redhat.com, rbalakri@redhat.com, rh-spice-bugs@redhat.com, rjones@redhat.com, sherold@redhat.com, ydary@redhat.com, yeylon@redhat.com, ykaul@redhat.com
In create_bits() both height and stride are ints, so the result is also an int, which will overflow if height or stride are big enough and size_t is bigger than int.
External references:
https://web.archive.org/web/20141227044037/http://lists.freedesktop.org/arch...
CVE assignment:
http://seclists.org/oss-sec/2016/q1/425
https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE Last Closed| |2016-02-25 04:27:11
https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |972647
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=972647 [Bug 972647] evince crashed in pixman library
https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|972647 | Depends On| |972647
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=972647 [Bug 972647] evince crashed in pixman library
https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW CC| |amaris@redhat.com Resolution|CURRENTRELEASE |--- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1014,reported=20130610,sour |1014,reported=20130610,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cwe=CWE |:M/Au:N/C:N/I:N/A:P,cwe=CWE |-190,fedora-all/mingw-pixma |-190,fedora-all/mingw-pixma |n=notaffected,fedora-all/pi |n=notaffected,fedora-all/pi |xman=notaffected,epel-7/min |xman=notaffected,epel-7/min |gw-pixman=notaffected,rhel- |gw-pixman=notaffected,rhel- |5/qpixman=notaffected,rhel- |5/pixman=affected,rhel-5/xu |6/pixman=notaffected,rhel-7 |lrunner=affected,rhel-5/fir |/pixman=notaffected,rhev-m- |efox=affected,rhel-5/thunde |3.4.z/mingw-virt-viewer=not |rbird=affected,rhel-6/pixma |affected |n=notaffected,rhel-6/xulrun | |ner=affected,rhel-6/firefox | |=affected,rhel-6/thunderbir | |d=affected,rhel-7/pixman=no | |taffected,rhel-7/xulrunner= | |affected,rhel-7/firefox=aff | |ected,rhel-7/thunderbird=af | |fected,rhel-7/qemu-kvm=affe | |cted,rhev-m-3.4.z/mingw-vir | |t-viewer=notaffected Keywords| |Reopened
https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1312311
https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |1014,reported=20130610,sour |1014,reported=20130610,sour |ce=redhat,cvss2=4.3/AV:N/AC |ce=redhat,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,cwe=CWE |:M/Au:N/C:N/I:N/A:P,cwe=CWE |-190,fedora-all/mingw-pixma |-190,fedora-all/mingw-pixma |n=notaffected,fedora-all/pi |n=notaffected,fedora-all/pi |xman=notaffected,epel-7/min |xman=notaffected,epel-7/min |gw-pixman=notaffected,rhel- |gw-pixman=notaffected,rhel- |5/pixman=affected,rhel-5/xu |5/pixman=affected,rhel-5/xu |lrunner=affected,rhel-5/fir |lrunner=affected,rhel-5/fir |efox=affected,rhel-5/thunde |efox=affected,rhel-5/thunde |rbird=affected,rhel-6/pixma |rbird=affected,rhel-6/pixma |n=notaffected,rhel-6/xulrun |n=notaffected,rhel-6/xulrun |ner=affected,rhel-6/firefox |ner=affected,rhel-6/firefox |=affected,rhel-6/thunderbir |=affected,rhel-6/thunderbir |d=affected,rhel-7/pixman=no |d=affected,rhel-7/pixman=no |taffected,rhel-7/xulrunner= |taffected,rhel-7/xulrunner= |affected,rhel-7/firefox=aff |affected,rhel-7/firefox=aff |ected,rhel-7/thunderbird=af |ected,rhel-7/thunderbird=af |fected,rhel-7/qemu-kvm=affe |fected,rhel-7/qemu-kvm=affe |cted,rhev-m-3.4.z/mingw-vir |cted,rhev-m-3/mingw-virt-vi |t-viewer=notaffected |ewer=notaffected