Summary: | <media-gfx/gif2png-2.5.8 Fedora patch introduces arbitrary file creation vulnerability (CVE-2010-{4694,4695}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | graphics+disabled, walch.martin |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4695 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2011-01-14 21:11:48 UTC
Is this the same as bug #346501? That one has been fixed in December (2010) with gif2png-2.5.1-overflow.patch. btw: gif2png could need an update (gif2png 2.5.4 is the latest version, 2.5.1 is in portage). We also need to look at this issue: CVE-2010-4694 Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to cause a denial of service (application crash) or have unspecified other impact via a GIF file that contains many images, leading to long extensions such as .p100 for PNG output files, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018. (In reply to comment #1) > Is this the same as bug #346501? That one has been fixed in December (2010) > with gif2png-2.5.1-overflow.patch. Not sure. The vulnerability is clearly different ("a different vulnerability than CVE-2009-5018"), but due to the advisory delays the updated patch could have been used. And CVE-2010-4694 is yet another issue. CVE-2010-4694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4694): Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to cause a denial of service (application crash) or have unspecified other impact via a GIF file that contains many images, leading to long extensions such as .p100 for PNG output files, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018. CVE-2010-4695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4695): A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname specified on the command line, which might allow remote attackers to create PNG files in unintended directories via a crafted command-line argument, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018. Upstream has released 2.5.7 which includes the fix for CVE-2009-5018 and should obsolete CVE-2010-4694 and CVE-2010-4695. (In reply to comment #5) > Upstream has released 2.5.7 which includes the fix for CVE-2009-5018 and > should obsolete CVE-2010-4694 and CVE-2010-4695. Upstream released 2.5.8 shortly after that with NEWS entry of: * 2.5.8 @ 2012-03-09 Codebase is now statically checked using splint, with stronger type safety. * 2.5.7 @ 2012-03-08 Fix CVE-2009-5018, filename buffer overflow bug detected by Gentoo security. Let's go with this. Arch's, please test and mark stable: =media-gfx/gif2png-2.5.8 "amd64 ppc ppc64 sparc x86" amd64/ppc/ppc64/x86 stable, sparc dropped to ~arch, all arches done Thanks, everyone. GLSA request filed. This issue was resolved and addressed in GLSA 201203-15 at http://security.gentoo.org/glsa/glsa-201203-15.xml by GLSA coordinator Sean Amoss (ackle). |