I'm not sure whether Gentoo is affected, but it seems it is. A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname specified on the command line, which might allow remote attackers to create PNG files in unintended directories via a crafted command-line argument, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018.
Is this the same as bug #346501? That one has been fixed in December (2010) with gif2png-2.5.1-overflow.patch. btw: gif2png could need an update (gif2png 2.5.4 is the latest version, 2.5.1 is in portage).
We also need to look at this issue: CVE-2010-4694 Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to cause a denial of service (application crash) or have unspecified other impact via a GIF file that contains many images, leading to long extensions such as .p100 for PNG output files, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018.
(In reply to comment #1) > Is this the same as bug #346501? That one has been fixed in December (2010) > with gif2png-2.5.1-overflow.patch. Not sure. The vulnerability is clearly different ("a different vulnerability than CVE-2009-5018"), but due to the advisory delays the updated patch could have been used. And CVE-2010-4694 is yet another issue.
CVE-2010-4694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4694): Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to cause a denial of service (application crash) or have unspecified other impact via a GIF file that contains many images, leading to long extensions such as .p100 for PNG output files, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018. CVE-2010-4695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4695): A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname specified on the command line, which might allow remote attackers to create PNG files in unintended directories via a crafted command-line argument, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018.
Upstream has released 2.5.7 which includes the fix for CVE-2009-5018 and should obsolete CVE-2010-4694 and CVE-2010-4695.
(In reply to comment #5) > Upstream has released 2.5.7 which includes the fix for CVE-2009-5018 and > should obsolete CVE-2010-4694 and CVE-2010-4695. Upstream released 2.5.8 shortly after that with NEWS entry of: * 2.5.8 @ 2012-03-09 Codebase is now statically checked using splint, with stronger type safety. * 2.5.7 @ 2012-03-08 Fix CVE-2009-5018, filename buffer overflow bug detected by Gentoo security. Let's go with this. Arch's, please test and mark stable: =media-gfx/gif2png-2.5.8 "amd64 ppc ppc64 sparc x86"
amd64/ppc/ppc64/x86 stable, sparc dropped to ~arch, all arches done
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in GLSA 201203-15 at http://security.gentoo.org/glsa/glsa-201203-15.xml by GLSA coordinator Sean Amoss (ackle).
