Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 351698 (CVE-2010-4695) - <media-gfx/gif2png-2.5.8 Fedora patch introduces arbitrary file creation vulnerability (CVE-2010-{4694,4695})
Summary: <media-gfx/gif2png-2.5.8 Fedora patch introduces arbitrary file creation vuln...
Status: RESOLVED FIXED
Alias: CVE-2010-4695
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-14 21:11 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2012-03-16 11:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-14 21:11:48 UTC
I'm not sure whether Gentoo is affected, but it seems it is.

A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname specified on the command line, which might allow remote attackers to create PNG files in unintended directories via a crafted command-line argument, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018.
Comment 1 Martin Walch 2011-01-14 22:40:14 UTC
Is this the same as bug #346501? That one has been fixed in December (2010) with gif2png-2.5.1-overflow.patch.

btw: gif2png could need an update (gif2png 2.5.4 is the latest version, 2.5.1 is in portage).
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-01-15 05:01:40 UTC
We also need to look at this issue:

CVE-2010-4694
Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to cause a denial of service (application crash) or have unspecified other impact via a GIF file that contains many images, leading to long extensions such as .p100 for PNG output files, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-15 10:00:25 UTC
(In reply to comment #1)
> Is this the same as bug #346501? That one has been fixed in December (2010)
> with gif2png-2.5.1-overflow.patch.

Not sure. The vulnerability is clearly different ("a different vulnerability than CVE-2009-5018"), but due to the advisory delays the updated patch could have been used.

And CVE-2010-4694 is yet another issue.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-21 11:16:30 UTC
CVE-2010-4694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4694):
  Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
  context-dependent attackers to cause a denial of service (application
  crash) or have unspecified other impact via a GIF file that contains
  many images, leading to long extensions such as .p100 for PNG output
  files, as demonstrated by a CGI program that launches gif2png, a
  different vulnerability than CVE-2009-5018.

CVE-2010-4695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4695):
  A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as
  distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and
  gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname
  specified on the command line, which might allow remote attackers to
  create PNG files in unintended directories via a crafted command-line
  argument, as demonstrated by a CGI program that launches gif2png, a
  different vulnerability than CVE-2009-5018.

Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 00:03:40 UTC
Upstream has released 2.5.7 which includes the fix for CVE-2009-5018 and should obsolete CVE-2010-4694 and CVE-2010-4695.
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2012-03-09 09:39:33 UTC
(In reply to comment #5)
> Upstream has released 2.5.7 which includes the fix for CVE-2009-5018 and
> should obsolete CVE-2010-4694 and CVE-2010-4695.

Upstream released 2.5.8 shortly after that with NEWS entry of:

* 2.5.8 @ 2012-03-09
Codebase is now statically checked using splint, with stronger type safety.
* 2.5.7 @ 2012-03-08
Fix CVE-2009-5018, filename buffer overflow bug detected by Gentoo security.

Let's go with this.

Arch's, please test and mark stable:

=media-gfx/gif2png-2.5.8 "amd64 ppc ppc64 sparc x86"
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2012-03-09 21:53:34 UTC
amd64/ppc/ppc64/x86 stable, sparc dropped to ~arch, all arches done
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 22:46:53 UTC
Thanks, everyone. GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-03-16 11:49:58 UTC
This issue was resolved and addressed in
 GLSA 201203-15 at http://security.gentoo.org/glsa/glsa-201203-15.xml
by GLSA coordinator Sean Amoss (ackle).