Bug 815064 (CVE-2013-1591) - VUL-0: CVE-2013-1591: pixman: Stack-based buffer overflow
Summary: VUL-0: CVE-2013-1591: pixman: Stack-based buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2013-1591
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2013-07-25
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:53651:important maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-12 16:30 UTC by Thomas Biege
Modified: 2014-06-17 05:35 UTC (History)
7 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2013-04-12 16:30:26 UTC 
Hi.
There is a security bug in package 'libpixman-1-0'.

This information is from 'full-disclosure'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2013-1591
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1591
CVSS v2 Base Score: 4.0 (moderate) (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Buffer Errors (CWE-119)


Original posting:




-------- Original-Nachricht --------
Betreff: [Full-disclosure] [ MDVSA-2013:116 ] pixman
Datum: Wed, 10 Apr 2013 15:08:00 +0200
Von: security@mandriva.com
Antwort an: noreply@mandriva.com
An: full-disclosure@lists.grok.org.uk

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:116
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : pixman
 Date    : April 10, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated pixman packages fix security vulnerability:

 Stack-based buffer overflow in libpixman has unspecified impact and
 attack vectors (CVE-2013-1591).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1591
 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0077
 _______________________________________________________________________

 Updated Packages:
...
Comment 1 Swamp Workflow Management 2013-04-12 22:00:28 UTC 
bugbot adjusting priority
Comment 2 Alexander Bergmann 2013-04-18 11:43:23 UTC 
RedHat reference:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1591
Comment 3 Alexander Bergmann 2013-04-18 12:00:50 UTC 
We found this issue in pixman-0.24.4 inside the SLE11-SP3 channel. 

http://cgit.freedesktop.org/pixman/commit/?id=de60e2e0e3eb6084f8f14b63f25b3cbfb012943f

SLE-11 SP2 is not affected (Version 0.16.0).
Comment 4 Scott Reeves 2013-06-28 19:34:00 UTC 
HPJ - can you take this...
Comment 5 Swamp Workflow Management 2013-07-18 08:09:01 UTC 
The SWAMPID for this issue is 53650.
This issue was rated as important.
Please submit fixed packages until 2013-07-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Swamp Workflow Management 2013-07-18 08:09:11 UTC 
The SWAMPID for this issue is 53651.
This issue was rated as important.
Please submit fixed packages until 2013-07-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Marcus Meissner 2013-07-18 08:11:08 UTC 
please include fix for the evince pdf hang, bug 818242
Comment 8 Marcus Meissner 2013-07-25 05:51:21 UTC 
ping?

deadline today?
Comment 10 Michael Gorse 2013-07-25 16:01:17 UTC 
Took this since hpj is on vacation.
I've just submitted a patch; SR#27874.
Comment 11 Swamp Workflow Management 2013-08-22 22:09:27 UTC 
Update released for: libpixman-1-0, libpixman-1-0-32bit, libpixman-1-0-devel, libpixman-1-0-x86, pixman, pixman-debuginfo, pixman-debugsource
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 13 Marcus Meissner 2013-08-27 15:41:31 UTC 
on opensuse pixman is maintained by gnome maintainers, reassign ...

please check if pixman is affected there , thanks
Comment 14 Bjørn Lie 2013-08-27 16:16:17 UTC 
SR#196566 for openSUSE:12.2 

openSUSE:12.3 is not affected as it shipped the already fixed upstream version 0.28.2
Comment 15 Bernhard Wiedemann 2013-08-27 17:00:17 UTC 
This is an autogenerated message for OBS integration:
This bug (815064) was mentioned in
https://build.opensuse.org/request/show/196566 Maintenance /
Comment 16 Scott Reeves 2013-08-31 00:14:08 UTC 
Appears fixes are submitted for all platforms...
Comment 17 Swamp Workflow Management 2013-09-09 13:04:47 UTC 
openSUSE-SU-2013:1421-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 815064
CVE References: CVE-2013-1519,CVE-2013-1591
Sources used:
openSUSE 12.2 (src):    pixman-0.24.4-4.4.1
Comment 18 Hans Petter Jansson 2013-09-15 16:25:55 UTC 
Closing as fixed.