Bug #14729

Fix gdk-pixbuf vulnerability (CVE-2017-2862)

Added by cypherpunks 2017-09-26 17:55:35 . Updated 2017-11-15 11:33:57 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Deliverable for:



the custom tails packages needs to be patched (2.36.5-2.0tails2)


Related issues

Related to Tails - Bug #13442: gdk-pixbuf's loaders.cache not reproducible Resolved 2017-07-07
Related to Tails - Feature #14728: Track security updates during the Tails code freeze Confirmed 2017-09-26


#1 Updated by intrigeri 2017-09-27 07:47:33

  • Subject changed from gdk-pixbuf vulnerability to Fix gdk-pixbuf vulnerability (CVE-2017-2862)
  • Status changed from New to Confirmed
  • Assignee set to anonym
  • Priority changed from Normal to Elevated
  • Target version set to Tails_3.3
  • Parent task set to Feature #5630
  • Deliverable for set to 289

#2 Updated by intrigeri 2017-09-27 07:48:02

  • related to Bug #13442: gdk-pixbuf's loaders.cache not reproducible added

#3 Updated by intrigeri 2017-09-27 07:52:00

  • related to Feature #14728: Track security updates during the Tails code freeze added

#4 Updated by anonym 2017-09-27 13:47:08

I was just wondering how I could have missed this when preparing the 3.1 security advisory (for the 3.2 release, yesterday) and here’s the post-mortem:

I apparently optimize this process in an unsafe way (at least to detect issues like this). I didn’t do it the obvious way and look at the list of recent advisories affecting Debian and then look at which of the affected packages we install. Instead I first looked at the .packages diff between 3.1 and 3.2, and then I investigated the packages that differed further vs the Debian advisories. This time there actually was a difference for the gdk-pixbuf packages, but I remembered that I had uploaded it a few weeks ago for the reproducibility fix, so this difference was expected, and not related to security updates, so I didn’t even look it up…

So, clearly the right way to do it is to go the other way around, i.e. look at the Debian advisories and the see which packages installed in Tails that are affected. Shame on me! But the real fix would of course be to automate the generation of advisories affecting Tails (given its .packages list), so the human (perhaps I’m generalizing?) tendency to optimize away security guards is out of the picture.

#5 Updated by intrigeri 2017-10-29 08:25:17

  • Priority changed from Elevated to High

This is your only remaining task on the list of what we want to complete by the end of the contract, so raising priority. ETA?

#6 Updated by intrigeri 2017-11-06 15:49:41

  • Assignee changed from anonym to intrigeri

#7 Updated by intrigeri 2017-11-06 17:24:21

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/14729-gdk-pixbuf-cve-2017-2862

#8 Updated by intrigeri 2017-11-07 12:13:27

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Last builds have the expected package. Jenkins test suite runs pass modulo Bug #14927.

#9 Updated by anonym 2017-11-07 15:34:57

  • Status changed from In Progress to Fix committed
  • % Done changed from 50 to 100

Applied in changeset commit:488a17510c12cc7a95e7f2d61bfd5e57c1422b54.

#10 Updated by anonym 2017-11-07 15:37:14

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

Source diff looks good, Jenkins’ build + test + repro successful => merged!

#11 Updated by anonym 2017-11-15 11:33:57

  • Status changed from Fix committed to Resolved