Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 346501 (CVE-2009-5018) - <media-gfx/gif2png-2.5.1-r1: Command Line Stack Overflow (CVE-2009-5018)
Summary: <media-gfx/gif2png-2.5.1-r1: Command Line Stack Overflow (CVE-2009-5018)
Status: RESOLVED FIXED
Alias: CVE-2009-5018
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B2 [glsa]
Keywords:
: 374641 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-11-23 05:45 UTC by Tim Sammut (RETIRED)
Modified: 2011-07-11 01:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-23 05:45:06 UTC
From the Secunia advisory at http://secunia.com/advisories/42339/: 

DESCRIPTION:
Fedora has issued an update for gif2png. This fixes a vulnerability,
which can be exploited by malicious people to potentially compromise
a vulnerable system.

The vulnerability is caused due to a boundary error when processing
overly long command line arguments. This can be exploited to e.g.
cause a stack-based buffer overflow by passing specially crafted
filenames to the application.


There is a patch at http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup.

If I read the patch correctly, upstream's 2.5.3 is still vulnerable.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-23 05:46:40 UTC
Rating B2 since there appears to be many web applications using this app; and [ebuild] since we have a patch for 2.5.3.
Comment 2 Markus Meier gentoo-dev 2010-12-03 09:41:58 UTC
*gif2png-2.5.1-r1 (03 Dec 2010)

  03 Dec 2010; Markus Meier <maekke@gentoo.org> +gif2png-2.5.1-r1.ebuild,
  +files/gif2png-2.5.1-overflow.patch:
  fix overflow bug #346501
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2010-12-03 14:40:31 UTC
Arches, please test and mark stable:
=media-gfx/gif2png-2.5.1-r1
Target keywords : "amd64 ppc ppc64 sparc x86"
Comment 4 David Abbott gentoo-dev 2010-12-03 21:42:37 UTC
Archtested on x86: Everything fine
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-12-04 09:39:36 UTC
x86 stable, thanks David
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-12-04 17:30:17 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2010-12-04 19:32:09 UTC
amd64 ok
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2010-12-05 16:18:42 UTC
amd64 done. Thanks Agostino
Comment 9 Jeroen Roovers gentoo-dev 2010-12-08 16:48:57 UTC
Stable for PPC.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-12-10 19:40:04 UTC
ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-12-10 20:36:28 UTC
GLSA Request filed.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-01-05 04:31:38 UTC
Thanks, folks. This is GLSA 201101-01.

http://www.gentoo.org/security/en/glsa/glsa-201101-01.xml
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-07-11 01:40:47 UTC
*** Bug 374641 has been marked as a duplicate of this bug. ***