Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 269516 - media-libs/freeimage ships copies of libpng and libtiff (CVE-2008-{1382,2327,3964,5907,6218},CVE-2009-0040)
Summary: media-libs/freeimage ships copies of libpng and libtiff (CVE-2008-{1382,2327,...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: ? [noglsa]
Keywords: PMASKED
: 300601 (view as bug list)
Depends on: 251112
  Show dependency tree
Reported: 2009-05-12 08:30 UTC by Robert Buchholz (RETIRED)
Modified: 2014-12-27 21:54 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-12 08:30:03 UTC
freeimage ships outdated copies of libpng and libtiff which are vulnerable to the following security issues:

CVE-2008-1382 (
  libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01
  through 1.4.0beta19 allows context-dependent attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via a
  PNG file with zero length "unknown" chunks, which trigger an access
  of uninitialized memory.
CVE-2008-2327 (
  Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat,
  and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in
  LibTIFF 3.8.2 and earlier allow context-dependent attackers to
  execute arbitrary code via a crafted TIFF file, related to improper
  handling of the CODE_CLEAR code.
CVE-2008-3964 (
  Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4
  before 1.4.0beta34, allow context-dependent attackers to cause a
  denial of service (crash) or have unspecified other impact via a PNG
  image with crafted zTXt chunks, related to (1) the png_push_read_zTXt
  function in pngread.c, and possibly related to (2) pngtest.c.
CVE-2008-5907 (
  The png_check_keyword function in pngwutil.c in libpng before 1.0.42,
  and 1.2.x before 1.2.34, might allow context-dependent attackers to
  set the value of an arbitrary memory location to zero via vectors
  involving creation of crafted PNG files with keywords, related to an
  implicit cast of the '\0' character constant to a NULL pointer.
  NOTE: some sources incorrectly report this as a double free
CVE-2009-0040 (
  The PNG reference library (aka libpng) before 1.0.43, and 1.2.x
  before 1.2.35, as used in pngcrush and other applications, allows
  context-dependent attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted PNG file that
  triggers a free of an uninitialized pointer in (1) the png_read_png
  function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-12 08:32:35 UTC
CVE-2008-6218 (
  Memory leak in the png_handle_tEXt function in pngrutil.c in libpng
  before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent
  attackers to cause a denial of service (memory exhaustion) via a
  crafted PNG file.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-05-12 08:33:22 UTC
See also bug 234080, bug 259578, bug 255231, bug 244808, bug 244808, bug 237175.
Comment 3 Peter Hüwe 2009-07-09 21:06:26 UTC
New Version seems to have updated the libraries:
"The library has been updated with the new libtiff (3.9.0), libpng (1.2.35) and OpenJPEG (1.3.0) "
Comment 4 Tristan Heaven (RETIRED) gentoo-dev 2009-11-05 01:55:49 UTC
removed media-libs/freeimage
Comment 5 Angelo D'Autilia (sYdRo) 2010-01-11 20:51:09 UTC
*** Bug 300601 has been marked as a duplicate of this bug. ***
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:16:26 UTC
(In reply to comment #4)
> removed media-libs/freeimage

The package is no longer in the tree. Should we make the decision about GLSA for users who might still have it installed on their systems?
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-10 19:14:31 UTC
Gone for over a year, closing noglsa, feel free to reopen.