Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 395367 (CVE-2012-0025)

Summary: <media-libs/libfpx-1.3.1_p6: "Free_All_Memory()" Double-Free Vulnerability (CVE-2012-0025)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled, jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/47246/
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2011-12-20 14:49:59 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to the "Free_All_Memory()" function (jpeg/dectile.c) not properly setting certain decoder elements to NULL after freeing them, which can be exploited to cause a double-free condition via specially crafted FPX images.

The vulnerability is confirmed in version 1.3.1. Prior versions may also be affected.

Solution:
Update to version 1.3.1-1.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-07 23:10:54 UTC
CVE-2012-0025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0025):
  Double free vulnerability in the Free_All_Memory function in jpeg/dectile.c
  in libfpx before 1.3.1-1, as used in the FlashPix PlugIn 4.2.2.0 for
  IrfanView, allows remote attackers to cause a denial of service (crash) via
  a crafted FPX image.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-02-20 06:38:46 UTC
# Aaron Bauman <bman@gentoo.org> (20 Feb 2016)
# No maintainer and unmitigated vulnerabilities.
# Masked for removal in 30 days. Bug 395367
media-libs/libfpx

Nothing depends on this package:

* These packages depend on media-libs/libfpx:
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-02-20 07:12:16 UTC
I apologize for the confusion.  Missed a switch on my run of equery.  Maintainer/project please bump package.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-20 11:47:12 UTC
Arch teams, please test and mark stable:
=media-libs/libfpx-1.3.1_p6
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-22 06:01:43 UTC
Stable for HPPA PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-02 13:59:14 UTC
amd64 stable
Comment 8 Markus Meier gentoo-dev 2016-03-11 16:37:57 UTC
arm stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-14 18:35:36 UTC
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-15 16:39:13 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-03-16 12:04:06 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-19 11:36:05 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-20 12:00:49 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-04-06 23:25:10 UTC
GLSA request opened.  Thanks arches and maintainer for the effort.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2016-05-30 18:27:34 UTC
This issue was resolved and addressed in
 GLSA 201605-03 at https://security.gentoo.org/glsa/201605-03
by GLSA coordinator Yury German (BlueKnight).