Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260265 (CVE-2009-0749) - <media-gfx/optipng-0.6.2-r1 GIF memory reallocation (CVE-2009-0749)
Summary: <media-gfx/optipng-0.6.2-r1 GIF memory reallocation (CVE-2009-0749)
Alias: CVE-2009-0749
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2009-02-25 16:22 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-09 13:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 16:22:11 UTC
All current OptiPNG versions are known to be vulnerable to memory reallocation attacks, due to a bug in the GIF image reader. (Many thanks to Roy Tam for the report, as well as the fix.) 

Comment 1 Tristan Heaven (RETIRED) gentoo-dev 2009-02-25 17:31:26 UTC
Patched in 0.6.2-r1
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 17:37:12 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc x86"
Comment 3 Markus Meier gentoo-dev 2009-02-25 20:11:02 UTC
amd64/x86 stable
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 13:07:50 UTC
CVE-2009-0749 (
  Use-after-free vulnerability in the GIFReadNextExtension function in
  lib/pngxtern/gif/gifread.c in OptiPNG 0.6.2 and earlier allows
  context-dependent attackers to cause a denial of service (application
  crash) via a crafted GIF image that causes the realloc function to
  return a new pointer, which triggers memory corruption when the old
  pointer is accessed.

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-04 20:23:11 UTC
ppc stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2009-03-06 16:27:27 UTC
alpha stable
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 13:07:14 UTC
GLSA 200903-12