Bug 3993

Summary: gif2png missing security update for CVE-2009-5018 and CVE-2010-4694
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: cazzaniga.sandro, dmorganec, fundawang, geiger.david68210, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: gif2png-2.5.2-3.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-01-01 20:03:15 CET 
Mandriva issued this advisory on January 14:
http://lists.mandriva.com/security-announce/2011-01/msg00011.php
Comment 1 Manuel Hiebel 2012-01-01 22:41:11 CET 
Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => cazzaniga.sandro, fundawang

Comment 2 D Morgan 2012-01-02 22:45:05 CET 
just pushed on the BS

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2012-01-03 23:25:01 CET 
Works for me on i586.
Comment 4 David GEIGER 2012-01-09 09:42:32 CET 
Tested complete srpm gif2png-2.5.2-3.1.mga1.src.rpm on Mageia release 1 (Official) for x86_64.
Works for me too.

CC: (none) => geiger.david68210

Comment 5 David Walser 2012-01-09 14:34:11 CET 
Validating

Advisory:
========================

Updated gif2png package fixes security vulnerabilities:

Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier
might allow context-dependent attackers to execute arbitrary code
via a long command-line argument, as demonstrated by a CGI program
that launches gif2png (CVE-2009-5018).
 
Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
context-dependent attackers to cause a denial of service (application
crash) or have unspecified other impact via a GIF file that contains
many images, leading to long extensions such as .p100 for PNG output
files, as demonstrated by a CGI program that launches gif2png,
a different vulnerability than CVE-2009-5018 (CVE-2010-4694).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:009
========================

Updated package in core/updates_testing:
========================
gif2png-2.5.2-3.1.mga1

from gif2png-2.5.2-3.1.mga1.src.rpm
========================

Could sysadmin please push from core/updates_testing to core/updates

Thank you!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 6 Thomas Backlund 2012-01-09 15:16:08 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED