Security Bulletin: Vulnerability in Mozilla gdk-pixbuf2 affects PowerKVM (CVE-2015-4491)

Summary

PowerKVM is affected by a vulnerability in Mozilla gdb-pixbuf2 (CVE-2015-4491). A fix for this vulnerability is available, as described below. Note that this primarily affects Mozilla Firefox, which does not ship with PowerKVM.

Vulnerability Details

CVEID: CVE-2015-4491**
DESCRIPTION:** Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking bygdk-pixbuf affecting Linux systems using Gnome. By persuading a victim to visit a specially-crafted Web site, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105544 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Note that this primarily affects Mozilla Firefox, which does not ship with PowerKVM.

Affected Products and Versions

PowerKVM v2.1

Remediation/Fixes

Fix is made available via Fix Central (https://ibm.biz/BdEnT8) in 2.1.1 Build 65.1 and all later 2.1.1 SP3 service builds and 2.1.1 fix packs. For systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README&gt; for prerequisite fixes and instructions. Customers can also update from 2.1.1 (GA and later levels) by using “yum update”

Workarounds and Mitigations

None