diff -Nru gdk-pixbuf-2.32.2/debian/changelog gdk-pixbuf-2.32.2/debian/changelog
--- gdk-pixbuf-2.32.2/debian/changelog	2016-09-20 16:51:09.000000000 +0000
+++ gdk-pixbuf-2.32.2/debian/changelog	2017-09-14 16:38:52.000000000 +0000
@@ -1,3 +1,22 @@
+gdk-pixbuf (2.32.2-1ubuntu1.3) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Integer overflow checks not enough
+    - debian/patch/CVE-2017-2870.patch: checks for integer overflow
+      in multiplication in gdk-pixbuf/io-tiff.c.
+    - CVE-2017-2870
+  * SECURITY UPDATE: exploitable heap overflow
+    - debian/patches/CVE-2017-2862-part1.patch: Throw error
+      when number of colour components is unsupported in
+      gdk-pixbuf/io-jpeg.c.
+    - debian/patches/CVE-2017-2862-part2.patch: restore grayscale
+      support in gdk-pixbuf/io-jpeg.c
+  * SECURITY UPDATE: context-dependent to cause DoS
+    - debian/patches/CVE-2017-6311.patch: return an error when ICO
+      didn't load in gdk-pixbuf/io-ico.c.
+    - CVE-2017-6311
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Thu, 14 Sep 2017 13:38:49 -0300
+
 gdk-pixbuf (2.32.2-1ubuntu1.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: Fix a write out-of-bounds error parsing a malicious ico
diff -Nru gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part1.patch gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part1.patch
--- gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part1.patch	1970-01-01 00:00:00.000000000 +0000
+++ gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part1.patch	2017-09-14 03:58:22.000000000 +0000
@@ -0,0 +1,60 @@
+From c2a40a92fe3df4111ed9da51fe3368c079b86926 Mon Sep 17 00:00:00 2001
+From: Tobias Mueller <muelli@cryptobitch.de>
+Date: Wed, 12 Jul 2017 20:36:11 +0200
+Subject: jpeg: Throw error when number of color components is unsupported
+
+Explicitly check "3" or "4" output color components.
+
+gdk-pixbuf assumed that the value of output_components to be either
+3 or 4, but not an invalid value (9) or an unsupported value (1).
+
+The way the buffer size was deduced was using a naive "== 4" check,
+with a 1, 3 or 9 color component picture getting the same buffer size,
+a size just sufficient for 3 color components, causing invalid writes
+later when libjpeg-turbo was decoding the image.
+
+CVE-2017-2862
+
+Sent by from Marcin 'Icewall' Noga of Cisco Talos
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784866
+Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-jpeg.c
+===================================================================
+--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-jpeg.c
++++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-jpeg.c
+@@ -1011,6 +1011,7 @@ gdk_pixbuf__jpeg_image_load_increment (g
+ 		/* try to load jpeg header */
+ 		if (!context->got_header) {
+ 			int rc;
++			gboolean has_alpha;
+ 		
+ 			jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
+ 			jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
+@@ -1049,9 +1050,24 @@ gdk_pixbuf__jpeg_image_load_increment (g
+ 			}
+ 			jpeg_calc_output_dimensions (cinfo);
+ 			
+-			context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, 
+-							  cinfo->output_components == 4 ? TRUE : FALSE,
+-							  8, 
++
++			if (cinfo->output_components == 3) {
++				has_alpha = FALSE;
++			} else if (cinfo->output_components == 4) {
++				has_alpha = TRUE;
++			} else {
++				g_set_error (error,
++					     GDK_PIXBUF_ERROR,
++					     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++					     _("Unsupported number of color components (%d)"),
++					     cinfo->output_components);
++				retval = FALSE;
++				goto out;
++			}
++
++			context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
++							  has_alpha,
++							  8,
+ 							  cinfo->output_width,
+ 							  cinfo->output_height);
+ 
diff -Nru gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part2.patch gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part2.patch
--- gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part2.patch	1970-01-01 00:00:00.000000000 +0000
+++ gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2862-part2.patch	2017-09-14 03:59:29.000000000 +0000
@@ -0,0 +1,30 @@
+From 6dd89e126a277460faafc1f679db44ccf78446fb Mon Sep 17 00:00:00 2001
+From: "A. Bosch" <my+gnomebugs@progandy.de>
+Date: Thu, 20 Jul 2017 15:07:13 +0200
+Subject: jpeg: Restore grayscale image support
+
+Commit c2a40a92fe3df4111ed9da51fe3368c079b86926 restricts the jpeg
+loader to files with 3 or 4 color components.
+
+Also allow JCS_GRAYSCALE images with only 1 color component.
+These grayscale images are supported through explode_gray_into_buf.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=785171
+---
+ gdk-pixbuf/io-jpeg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-jpeg.c
+===================================================================
+--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-jpeg.c
++++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-jpeg.c
+@@ -1055,6 +1055,9 @@ gdk_pixbuf__jpeg_image_load_increment (g
+ 				has_alpha = FALSE;
+ 			} else if (cinfo->output_components == 4) {
+ 				has_alpha = TRUE;
++			} else if (cinfo->output_components == 1 &&
++				   cinfo->out_color_space == JCS_GRAYSCALE) {
++				has_alpha = FALSE;
+ 			} else {
+ 				g_set_error (error,
+ 					     GDK_PIXBUF_ERROR,
diff -Nru gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2870.patch gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2870.patch
--- gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2870.patch	1970-01-01 00:00:00.000000000 +0000
+++ gdk-pixbuf-2.32.2/debian/patches/CVE-2017-2870.patch	2017-09-14 03:48:18.000000000 +0000
@@ -0,0 +1,64 @@
+From 31a6cff3dfc6944aad4612a9668b8ad39122e48b Mon Sep 17 00:00:00 2001
+From: Ludovico de Nittis <aasonykk@gmail.com>
+Date: Sun, 19 Mar 2017 16:11:13 +0100
+Subject: tiff: Check for integer overflows in multiplication
+
+The checks currently in use are not sufficient, because they depend on
+undefined behaviour:
+
+    rowstride = width * 4;
+    if (rowstride / 4 != width) { /* overflow */
+
+If the multiplication has already overflowed, the compiler may decide
+to optimize the if out and thus we do not handle the erroneous case.
+
+Rearrange the checks to avoid the undefined behaviour.
+
+Note that gcc doesn't seem to be impacted, though a defined behaviour is
+obviously preferred.
+
+CVE-2017-2870
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780269
+---
+ gdk-pixbuf/io-tiff.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-tiff.c
+===================================================================
+--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-tiff.c
++++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-tiff.c
+@@ -123,18 +123,18 @@ tiff_image_parse (TIFF *tiff, TiffContex
+                                      _("Width or height of TIFF image is zero"));
+                 return NULL;                
+         }
+-        
+-        rowstride = width * 4;
+-        if (rowstride / 4 != width) { /* overflow */
++
++        if (width > G_MAXINT / 4) { /* overflow */
+                 g_set_error_literal (error,
+                                      GDK_PIXBUF_ERROR,
+                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                      _("Dimensions of TIFF image too large"));
+                 return NULL;                
+         }
+-        
+-        bytes = height * rowstride;
+-        if (bytes / rowstride != height) { /* overflow */
++
++        rowstride = width * 4;
++
++        if (height > G_MAXINT / rowstride) { /* overflow */
+                 g_set_error_literal (error,
+                                      GDK_PIXBUF_ERROR,
+                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+@@ -142,6 +142,8 @@ tiff_image_parse (TIFF *tiff, TiffContex
+                 return NULL;                
+         }
+ 
++        bytes = height * rowstride;
++
+ 	if (context && context->size_func) {
+                 gint w = width;
+                 gint h = height;
diff -Nru gdk-pixbuf-2.32.2/debian/patches/CVE-2017-6311.patch gdk-pixbuf-2.32.2/debian/patches/CVE-2017-6311.patch
--- gdk-pixbuf-2.32.2/debian/patches/CVE-2017-6311.patch	1970-01-01 00:00:00.000000000 +0000
+++ gdk-pixbuf-2.32.2/debian/patches/CVE-2017-6311.patch	2017-09-14 04:01:29.000000000 +0000
@@ -0,0 +1,44 @@
+From 758655315bc3760c2d646e1e935f7448847073af Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Thu, 27 Jul 2017 13:27:47 +0100
+Subject: ico: Return an error when the ICO didn't load
+
+If we don't even read enough data to fill the header, return an
+error. This doesn't cover everything that could go wrong with
+the ICO incremental loader, but this is a good first throw.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=778204
+---
+ gdk-pixbuf/io-ico.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c
+===================================================================
+--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-ico.c
++++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c
+@@ -587,6 +587,7 @@ gdk_pixbuf__ico_image_stop_load(gpointer
+ {
+ 	struct ico_progressive_state *context =
+ 	    (struct ico_progressive_state *) data;
++	gboolean ret = TRUE;
+ 
+         /* FIXME this thing needs to report errors if
+          * we have unused image data
+@@ -594,8 +595,16 @@ gdk_pixbuf__ico_image_stop_load(gpointer
+ 
+ 	g_return_val_if_fail(context != NULL, TRUE);
+ 
++	if (context->HeaderDone < context->HeaderSize) {
++		g_set_error_literal (error,
++				     GDK_PIXBUF_ERROR,
++				     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++				     _("ICO image was truncated or incomplete."));
++		ret = FALSE;
++	}
++
+ 	context_free (context);
+-        return TRUE;
++        return ret;
+ }
+ 
+ static void
diff -Nru gdk-pixbuf-2.32.2/debian/patches/series gdk-pixbuf-2.32.2/debian/patches/series
--- gdk-pixbuf-2.32.2/debian/patches/series	2016-09-13 16:56:01.000000000 +0000
+++ gdk-pixbuf-2.32.2/debian/patches/series	2017-09-14 04:02:17.000000000 +0000
@@ -1,2 +1,6 @@
 skip-perturb-for-cve-2015-4491-original-test.patch
 CVE-2016-6352.patch
+CVE-2017-2870.patch
+CVE-2017-2862-part1.patch
+CVE-2017-2862-part2.patch
+CVE-2017-6311.patch