[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PdqLR-00071G-0A@titan.mandriva.com>
Date: Fri, 14 Jan 2011 21:34:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:009 ] gif2png
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:009
http://www.mandriva.com/security/
_______________________________________________________________________
Package : gif2png
Date : January 14, 2011
Affected: 2009.0, 2010.0, 2010.1
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in gif2png:
Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier
might allow context-dependent attackers to execute arbitrary code
via a long command-line argument, as demonstrated by a CGI program
that launches gif2png (CVE-2009-5018).
Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
context-dependent attackers to cause a denial of service (application
crash) or have unspecified other impact via a GIF file that contains
many images, leading to long extensions such as .p100 for PNG output
files, as demonstrated by a CGI program that launches gif2png,
a different vulnerability than CVE-2009-5018 (CVE-2010-4694).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
ad8928a60b604f88f26c2afc05af1b60 2009.0/i586/gif2png-2.5.1-4.1mdv2009.0.i586.rpm
5cfa8cf8ed1cee759d0483bd27d78a10 2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
001e10adb1f8d4e979161b5598ce757b 2009.0/x86_64/gif2png-2.5.1-4.1mdv2009.0.x86_64.rpm
5cfa8cf8ed1cee759d0483bd27d78a10 2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm
Mandriva Linux 2010.0:
0a4de7448cecc56c05e6cf6a08e85395 2010.0/i586/gif2png-2.5.1-6.1mdv2010.0.i586.rpm
2eb73d21b89309cf6a417d131c217a9e 2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
c25ad03c6914525e69544d064929c253 2010.0/x86_64/gif2png-2.5.1-6.1mdv2010.0.x86_64.rpm
2eb73d21b89309cf6a417d131c217a9e 2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm
Mandriva Linux 2010.1:
351ca35a5a9869a1ea078fa61ae1bba4 2010.1/i586/gif2png-2.5.2-2.1mdv2010.2.i586.rpm
1288d1f24726c3cc4782ef30f120748d 2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
5486b74d0f270b32f042a056235d068e 2010.1/x86_64/gif2png-2.5.2-2.1mdv2010.2.x86_64.rpm
1288d1f24726c3cc4782ef30f120748d 2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNMIS7mqjQ0CJFipgRAidtAJsEtQoS77Bas6dy8hT7MQbYWdblsgCg8y4b
UuFSb8f/D/p6vDh/EVqNxrk=
=ZZYZ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists