A buffer overflow flaw has been found in the OptiPNG -- PNG image optimizer. This flaw is caused due to an boundary error in the BMP image reader, responsible for handling BMP images. Local unprivileged user could use this flaw to execure arbitary code via providing a specially crafted BMP image file to the optimizer. Affected OptinPNG versions: all prior to 0.6.2 References: http://sourceforge.net/project/shownotes.php?release_id=639631&group_id=151404 http://secunia.com/Advisories/32651/ http://www.frsirt.com/english/advisories/2008/3108/references http://optipng.sourceforge.net/ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505399 Proposed solution: Upgrade to OptiPNG 0.6.2 or apply security patch against 0.6.1 version available at: http://prdownloads.sourceforge.net/optipng/optipng-0.6.1.1.diff?download
An update to 0.6.2 for F10 has been build, inclusion into F10 Everything has been requested here: https://fedorahosted.org/rel-eng/ticket/1039
optipng-0.6.2-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/optipng-0.6.2-1.fc9
optipng-0.6.2-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/optipng-0.6.2-1.fc8
Also new build for devel (F11) was created: http://koji.fedoraproject.org/koji/taskinfo?taskID=928360 And so was a new build for EPEL 5: http://buildsys.fedoraproject.org/logs/fedora-5-epel/736-optipng-0.6.2-1.el5/ I also sent an e-mail to epel_signers-members at fp.o to request that the build is moved to EPEL stable.
optipng-0.6.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
optipng-0.6.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Huh, scop, where did that e-mail address come from? It is one of my email addresses but I had no idea there was a Bugzilla account with that address and I don't use it in Fedora context. Jan, based on the bug history, looks like the address was added to Cc by you, could you shed some light on this? My FAS username is scop, but @xemacs.org is not configured as my address there (and that's correct).
(And in case you're wondering, I received mails for all these comments today, the xemacs.org mail system is known to be somewhat slow.)
Hello Ville, was searching Google for record of "your name" with combination of "Fedora". This was working for me in the past and this is the way scop came from. But now got the right way how to retrieve package maintainers contact information. Thank you for pointing this out!
Ah, I see, thanks for the info. I wasn't aware that one could add non-Bugzilla-account email addresses to Cc nowadays and thought someone had registered an account with my @xemacs.org address.
Is it intended that this bug report is still in status "NEW"? I asked Bodhi to close the bug and normally it also sets the bug to status "MODIFIED" when an update is created. If Bodhi should have done the same for this bug, I will report a bug agains Bodhi.
Bodhi has an intentional exception for 'Security Response' bugs, as they may affect other products besides Fedora as well.