CVE-2022-48622

2024-01-2609:15:07

Alpine Linux Development Team

security.alpinelinux.org

cve-2022-48622

gdkpixbuf

ani decoder

heap memory corruption

denial of service

code execution

unix

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

High

JSON

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

OSVersionArchitecturePackageVersionFilename
Alpineedge-mainnoarchgdk-pixbuf< 2.42.12-r0UNKNOWN
Alpine3.17-mainnoarchgdk-pixbuf< 2.42.12-r0UNKNOWN
Alpine3.18-mainnoarchgdk-pixbuf< 2.42.12-r0UNKNOWN
Alpine3.19-mainnoarchgdk-pixbuf< 2.42.12-r0UNKNOWN
Alpine3.20-mainnoarchgdk-pixbuf< 2.42.12-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-main	noarch	gdk-pixbuf	< 2.42.12-r0	UNKNOWN
Alpine	3.17-main	noarch	gdk-pixbuf	< 2.42.12-r0	UNKNOWN
Alpine	3.18-main	noarch	gdk-pixbuf	< 2.42.12-r0	UNKNOWN
Alpine	3.19-main	noarch	gdk-pixbuf	< 2.42.12-r0	UNKNOWN
Alpine	3.20-main	noarch	gdk-pixbuf	< 2.42.12-r0	UNKNOWN