Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2011:009 ] gif2png
From: security () mandriva com
Date: Fri, 14 Jan 2011 21:34:00 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:009
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : gif2png
 Date    : January 14, 2011
 Affected: 2009.0, 2010.0, 2010.1
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in gif2png:
 
 Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier
 might allow context-dependent attackers to execute arbitrary code
 via a long command-line argument, as demonstrated by a CGI program
 that launches gif2png (CVE-2009-5018).
 
 Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
 context-dependent attackers to cause a denial of service (application
 crash) or have unspecified other impact via a GIF file that contains
 many images, leading to long extensions such as .p100 for PNG output
 files, as demonstrated by a CGI program that launches gif2png,
 a different vulnerability than CVE-2009-5018 (CVE-2010-4694).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5018
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 ad8928a60b604f88f26c2afc05af1b60  2009.0/i586/gif2png-2.5.1-4.1mdv2009.0.i586.rpm 
 5cfa8cf8ed1cee759d0483bd27d78a10  2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 001e10adb1f8d4e979161b5598ce757b  2009.0/x86_64/gif2png-2.5.1-4.1mdv2009.0.x86_64.rpm 
 5cfa8cf8ed1cee759d0483bd27d78a10  2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm

 Mandriva Linux 2010.0:
 0a4de7448cecc56c05e6cf6a08e85395  2010.0/i586/gif2png-2.5.1-6.1mdv2010.0.i586.rpm 
 2eb73d21b89309cf6a417d131c217a9e  2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 c25ad03c6914525e69544d064929c253  2010.0/x86_64/gif2png-2.5.1-6.1mdv2010.0.x86_64.rpm 
 2eb73d21b89309cf6a417d131c217a9e  2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 351ca35a5a9869a1ea078fa61ae1bba4  2010.1/i586/gif2png-2.5.2-2.1mdv2010.2.i586.rpm 
 1288d1f24726c3cc4782ef30f120748d  2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 5486b74d0f270b32f042a056235d068e  2010.1/x86_64/gif2png-2.5.2-2.1mdv2010.2.x86_64.rpm 
 1288d1f24726c3cc4782ef30f120748d  2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNMIS7mqjQ0CJFipgRAidtAJsEtQoS77Bas6dy8hT7MQbYWdblsgCg8y4b
UuFSb8f/D/p6vDh/EVqNxrk=
=ZZYZ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2011:009 ] gif2png security (Jan 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]