BugTraq
[ MDVSA-2011:009 ] gif2png Jan 14 2011 08:34PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:009
http://www.mandriva.com/security/
_______________________________________________________________________

Package : gif2png
Date : January 14, 2011
Affected: 2009.0, 2010.0, 2010.1
_______________________________________________________________________

Problem Description:

A vulnerability has been found and corrected in gif2png:

Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier
might allow context-dependent attackers to execute arbitrary code
via a long command-line argument, as demonstrated by a CGI program
that launches gif2png (CVE-2009-5018).

Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
context-dependent attackers to cause a denial of service (application
crash) or have unspecified other impact via a GIF file that contains
many images, leading to long extensions such as .p100 for PNG output
files, as demonstrated by a CGI program that launches gif2png,
a different vulnerability than CVE-2009-5018 (CVE-2010-4694).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
ad8928a60b604f88f26c2afc05af1b60 2009.0/i586/gif2png-2.5.1-4.1mdv2009.0.i586.rpm
5cfa8cf8ed1cee759d0483bd27d78a10 2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
001e10adb1f8d4e979161b5598ce757b 2009.0/x86_64/gif2png-2.5.1-4.1mdv2009.0.x86_64.rpm
5cfa8cf8ed1cee759d0483bd27d78a10 2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm

Mandriva Linux 2010.0:
0a4de7448cecc56c05e6cf6a08e85395 2010.0/i586/gif2png-2.5.1-6.1mdv2010.0.i586.rpm
2eb73d21b89309cf6a417d131c217a9e 2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
c25ad03c6914525e69544d064929c253 2010.0/x86_64/gif2png-2.5.1-6.1mdv2010.0.x86_64.rpm
2eb73d21b89309cf6a417d131c217a9e 2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm

Mandriva Linux 2010.1:
351ca35a5a9869a1ea078fa61ae1bba4 2010.1/i586/gif2png-2.5.2-2.1mdv2010.2.i586.rpm
1288d1f24726c3cc4782ef30f120748d 2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
5486b74d0f270b32f042a056235d068e 2010.1/x86_64/gif2png-2.5.2-2.1mdv2010.2.x86_64.rpm
1288d1f24726c3cc4782ef30f120748d 2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNMIS7mqjQ0CJFipgRAidtAJsEtQoS77Bas6dy8hT7MQbYWdblsgCg8y4b
UuFSb8f/D/p6vDh/EVqNxrk=
=ZZYZ
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus