Bug 857994 (CVE-2012-4432)

Summary: CVE-2012-4432 optipng : Palette Reduction Use-After-Free Vulnerability
Product: [Other] Security Response Reporter: Agostino Sarubbo <ago>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, jrusnack, opensource
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: optipng 0.7.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-18 09:50:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Agostino Sarubbo 2012-09-17 17:45:18 UTC 
A vulnerability has been reported in OptiPNG, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to a use-after-free error related to the palette reduction functionality. No further information is currently available.

Success exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 0.7, 0.7.1, and 0.7.2.


Solution
Update to version 0.7.3.

Code commit:
http://optipng.hg.sourceforge.net/hgweb/optipng/optipng/rev/f1d5d44670a2

Additional info:
Version 0.6.5 and earlier are not affected.
Comment 1 Jan Lieskovsky 2012-09-18 09:17:05 UTC 
The CVE identifier of CVE-2012-4432 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/09/18/2
Comment 2 Jan Lieskovsky 2012-09-18 09:44:06 UTC 
This issue does NOT affect the version of the optipng package, as shipped with Fedora release of 17 (it got updated to optipng-0.7.3-1.fc17 version in -testing repository already, which contains the upstream patch).

--

This issue did NOT affect the versions of the optipng package, as shipped with Fedora release of 16, Fedora EPEL 6 and Fedora EPEL 6 as they did not contain the vulnerable functionality yet.
Comment 4 Jan Lieskovsky 2012-09-18 10:13:25 UTC 
References:
https://bugs.gentoo.org/show_bug.cgi?id=435340
https://secunia.com/advisories/50654/