CVE-2018-18718

NameCVE-2018-18718
DescriptionAn issue was discovered in gThumb through 3.6.2. There is a double-free vulnerability in the add_themes_from_dir method in dlg-contact-sheet.c because of two successive calls of g_free, each of which frees the same buffer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1567-1
Debian Bugs912290

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gthumb (PTS)jessie, jessie (lts)3:3.3.1-2.1+deb8u2fixed
stretch (security), stretch (lts), stretch3:3.4.4.1-5+deb9u2fixed
buster3:3.6.2-4+deb10u1fixed
bullseye3:3.11.2-0.1fixed
bookworm3:3.12.2-3fixed
sid, trixie3:3.12.6-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gthumbsourcewheezy(unfixed)end-of-life
gthumbsourcejessie3:3.3.1-2.1+deb8u1DLA-1567-1
gthumbsourcestretch3:3.4.4.1-5+deb9u1
gthumbsource(unstable)3:3.6.2-2unimportant912290

Notes

https://gitlab.gnome.org/GNOME/gthumb/issues/18
https://gitlab.gnome.org/GNOME/gthumb/commit/06c39346fda502bd37429006d4822dd977995661 (master)
https://gitlab.gnome.org/GNOME/gthumb/commit/f3edf6952757f887569e8c26cf18d40409f3fdca (3.6)
Crash in end user application, no security impact

Search for package or bug name: Reporting problems