Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717948 (CVE-2019-17371)

Summary: <media-gfx/gif2png-2.5.14: Memory leak in writefile() (CVE-2019-17371)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graphics+disabled, maintainer-needed, sam
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=688702
https://bugs.gentoo.org/show_bug.cgi?id=724518
Whiteboard: B3 [noglsa cve]
Package list:
media-gfx/gif2png-2.5.14
 Runtime testing required: ---
Bug Depends on: 688702    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 21:28:53 UTC 
CVE-2019-17371 (https://nvd.nist.gov/vuln/detail/CVE-2019-17371):
  gif2png 2.5.13 has a memory leak in the writefile function.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-04 01:54:46 UTC 
It might just be simpler to package the Go port if the test failure is reproducible: bug 724518.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-19 01:14:08 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2021-03-01 09:20:23 UTC 
amd64 stable
Comment 4 ernsteiswuerfel archtester 2021-03-04 19:23:25 UTC 
Looking good on ppc64.

 # cat gif2png-717948.report 
USE tests started on Do 4. Mär 19:35:18 CET 2021

FEATURES=' test' USE='' succeeded for =media-gfx/gif2png-2.5.14
USE='' succeeded for =media-gfx/gif2png-2.5.14
Comment 5 ernsteiswuerfel archtester 2021-03-06 18:30:50 UTC 
Looking good on ppc.

 # cat gif2png-717948.report 
USE tests started on Sa 6. Mär 19:27:20 CET 2021

FEATURES=' test' USE='' succeeded for =media-gfx/gif2png-2.5.14
USE='' succeeded for =media-gfx/gif2png-2.5.14
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-06 23:11:13 UTC 
(In reply to ernsteiswuerfel from comment #5)
> Looking good on ppc.
> 
>  # cat gif2png-717948.report 
> USE tests started on Sa 6. Mär 19:27:20 CET 2021
> 
> FEATURES=' test' USE='' succeeded for =media-gfx/gif2png-2.5.14
> USE='' succeeded for =media-gfx/gif2png-2.5.14

ppc, ppc64 stable, thanks!
Comment 7 Larry the Git Cow gentoo-dev 2021-03-16 19:56:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=364b7b9d9ca03d1f29826e4a9dbc799da17412e1

commit 364b7b9d9ca03d1f29826e4a9dbc799da17412e1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-03-16 19:28:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-16 19:55:45 +0000

    media-gfx/gif2png: drop 2.5.9, 2.5.12
    
    Bug: https://bugs.gentoo.org/717948
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/gif2png/Manifest                         |  2 --
 .../gif2png/files/gif2png-2.5.12-makefile.patch    | 42 ----------------------
 media-gfx/gif2png/gif2png-2.5.12.ebuild            | 37 -------------------
 media-gfx/gif2png/gif2png-2.5.9.ebuild             | 19 ----------
 4 files changed, 100 deletions(-)