Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 269516

Summary: media-libs/freeimage ships copies of libpng and libtiff (CVE-2008-{1382,2327,3964,5907,6218},CVE-2009-0040)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: basic, binki, games, joost.ruis, sydro
Priority: High Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ? [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 251112    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-12 08:30:03 UTC 
freeimage ships outdated copies of libpng and libtiff which are vulnerable to the following security issues:

CVE-2008-1382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1382):
  libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01
  through 1.4.0beta19 allows context-dependent attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via a
  PNG file with zero length "unknown" chunks, which trigger an access
  of uninitialized memory.
CVE-2008-2327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2327):
  Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat,
  and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in
  LibTIFF 3.8.2 and earlier allow context-dependent attackers to
  execute arbitrary code via a crafted TIFF file, related to improper
  handling of the CODE_CLEAR code.
CVE-2008-3964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3964):
  Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4
  before 1.4.0beta34, allow context-dependent attackers to cause a
  denial of service (crash) or have unspecified other impact via a PNG
  image with crafted zTXt chunks, related to (1) the png_push_read_zTXt
  function in pngread.c, and possibly related to (2) pngtest.c.
CVE-2008-5907 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5907):
  The png_check_keyword function in pngwutil.c in libpng before 1.0.42,
  and 1.2.x before 1.2.34, might allow context-dependent attackers to
  set the value of an arbitrary memory location to zero via vectors
  involving creation of crafted PNG files with keywords, related to an
  implicit cast of the '\0' character constant to a NULL pointer.
  NOTE: some sources incorrectly report this as a double free
  vulnerability.
CVE-2009-0040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040):
  The PNG reference library (aka libpng) before 1.0.43, and 1.2.x
  before 1.2.35, as used in pngcrush and other applications, allows
  context-dependent attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted PNG file that
  triggers a free of an uninitialized pointer in (1) the png_read_png
  function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma
  tables.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-12 08:32:35 UTC 
CVE-2008-6218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6218):
  Memory leak in the png_handle_tEXt function in pngrutil.c in libpng
  before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent
  attackers to cause a denial of service (memory exhaustion) via a
  crafted PNG file.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-05-12 08:33:22 UTC 
See also bug 234080, bug 259578, bug 255231, bug 244808, bug 244808, bug 237175.
Comment 3 Peter Hüwe 2009-07-09 21:06:26 UTC 
New Version seems to have updated the libraries:

http://freeimage.sourceforge.net/news.html
"The library has been updated with the new libtiff (3.9.0), libpng (1.2.35) and OpenJPEG (1.3.0) "
Comment 4 Tristan Heaven (RETIRED) gentoo-dev 2009-11-05 01:55:49 UTC 
removed media-libs/freeimage
Comment 5 Angelo D'Autilia (sYdRo) 2010-01-11 20:51:09 UTC 
*** Bug 300601 has been marked as a duplicate of this bug. ***
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:16:26 UTC 
(In reply to comment #4)
> removed media-libs/freeimage

The package is no longer in the tree. Should we make the decision about GLSA for users who might still have it installed on their systems?
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-10 19:14:31 UTC 
Gone for over a year, closing noglsa, feel free to reopen.