GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jan 05, 2011 4:26 am Post subject: [ GLSA 201101-01 ] gif2png: User-assisted execution of arbit |
|
|
Gentoo Linux Security Advisory
Title: gif2png: User-assisted execution of arbitrary code (GLSA 201101-01)
Severity: normal
Exploitable: remote
Date: January 05, 2011
Bug(s): #346501
ID: 201101-01
Synopsis
gif2png contains a stack overflow vulnerability when parsing command line
arguments.
Background
gif2png is a command line program that converts image files from the
Graphics Interchange Format (GIF) format to the Portable Network
Graphics (PNG) format.
Affected Packages
Package: media-gfx/gif2png
Vulnerable: < 2.5.1-r1
Unaffected: >= 2.5.1-r1
Architectures: All supported architectures
Description
gif2png contains a command line parsing vulnerability that may result
in a stack overflow due to an unexpectedly long input filename.
Impact
A remote attacker could entice a user to open a specially crafted
image, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.
Note that applications relying on gif2png to process images can also
trigger the vulnerability.
Workaround
There is no known workaround at this time.
Resolution
All gif2png users should upgrade to the latest stable version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/gif2png-2.5.1-r1" |
References
CVE-2009-5018
Last edited by GLSA on Fri Feb 06, 2015 4:29 am; edited 2 times in total |
|