Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 435340 (CVE-2012-4432) - <media-gfx/optipng-0.7.3 : Palette Reduction Use-After-Free Vulnerability (CVE-2012-4432)
Summary: <media-gfx/optipng-0.7.3 : Palette Reduction Use-After-Free Vulnerability (CV...
Status: RESOLVED FIXED
Alias: CVE-2012-4432
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://secunia.com/advisories/50654/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-17 16:07 UTC by Agostino Sarubbo
Modified: 2014-04-07 20:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-09-17 16:07:53 UTC 
Description
A vulnerability has been reported in OptiPNG, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to a use-after-free error related to the palette reduction functionality. No further information is currently available.

Success exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 0.7, 0.7.1, and 0.7.2.


Solution
Update to version 0.7.3.
Comment 1 Sebastian Pipping gentoo-dev 2012-09-17 17:56:01 UTC 
+*optipng-0.7.3 (17 Sep 2012)
+
+  17 Sep 2012; Sebastian Pipping <sping@gentoo.org> +optipng-0.7.3.ebuild:
+  Bump to 0.7.3 (bug #435340)
+
Comment 2 Agostino Sarubbo gentoo-dev 2012-09-17 18:07:22 UTC 
Arches, please test and mark stable:
=media-gfx/optipng-0.7.3
Target KEYWORDS : "amd64 ppc ppc64 x86"
Comment 3 Andreas Schürch gentoo-dev 2012-09-18 04:46:51 UTC 
x86 done.
Comment 4 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-21 19:09:19 UTC 
Tested amd64.

Just for ebuild improvement, use "econf" instead of "./configure".
Also, it calls gcc directly in "test phase", instead of x86_64-pc-linux-gnu-gcc.
Comment 5 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-21 19:22:11 UTC 
(In reply to comment #4)
> Tested amd64.
> 
> Just for ebuild improvement, use "econf" instead of "./configure".
> Also, it calls gcc directly in "test phase", instead of
> x86_64-pc-linux-gnu-gcc.

Forget about econf, it fails if you try to use it.


./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 -with-system-libpng -with-system-zlib --disable-silent-rules
error: unknown option: --build=x86_64-pc-linux-gnu
Comment 6 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-21 19:28:27 UTC 
Also, it calls ar and ranlib, instead of x86_64-pc-linux-gnu-ar and x86_64-pc-linux-gnu-ranlib.
Comment 7 Agostino Sarubbo gentoo-dev 2012-09-21 20:13:44 UTC 
amd64 stable
Comment 8 Anthony Basile gentoo-dev 2012-09-22 02:21:09 UTC 
stable ppc ppc64
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-22 15:26:54 UTC 
Thanks, everyone.

New GLSA request filed.

Maintainers, please drop vulnerable versions.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-10-01 21:35:25 UTC 
CVE-2012-4432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4432):
  Use-after-free vulnerability in opngreduc.c in OptiPNG Hg and 0.7.x before
  0.7.3 might allow remote attackers to execute arbitrary code via unspecified
  vectors related to "palette reduction."
Comment 11 Justin Lecher (RETIRED) gentoo-dev 2012-12-19 08:12:33 UTC 
 22 Sep 2012; Agostino Sarubbo <ago@gentoo.org> -optipng-0.7.1.ebuild,
  -optipng-0.7.2.ebuild, -optipng-0.7.ebuild:
  Remove old

vulnerable versions are removed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 20:31:25 UTC 
This issue was resolved and addressed in
 GLSA 201404-03 at http://security.gentoo.org/glsa/glsa-201404-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).