Summary: | media-libs/freeimage ships copies of libpng and libtiff (CVE-2008-{1382,2327,3964,5907,6218},CVE-2009-0040) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | basic, binki, games, joost.ruis, sydro |
Priority: | High | Keywords: | PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ? [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 251112 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2009-05-12 08:30:03 UTC
CVE-2008-6218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6218): Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file. See also bug 234080, bug 259578, bug 255231, bug 244808, bug 244808, bug 237175. New Version seems to have updated the libraries: http://freeimage.sourceforge.net/news.html "The library has been updated with the new libtiff (3.9.0), libpng (1.2.35) and OpenJPEG (1.3.0) " removed media-libs/freeimage *** Bug 300601 has been marked as a duplicate of this bug. *** (In reply to comment #4) > removed media-libs/freeimage The package is no longer in the tree. Should we make the decision about GLSA for users who might still have it installed on their systems? Gone for over a year, closing noglsa, feel free to reopen. |