Bug 471206 - (CVE-2008-5101) CVE-2008-5101 OptiPNG: Buffer overflow in BMP image handling reader
CVE-2008-5101 OptiPNG: Buffer overflow in BMP image handling reader
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20081009,reported=20081012,imp...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-12 06:59 EST by Jan Lieskovsky
Modified: 2009-02-25 11:29 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-25 11:29:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-11-12 06:59:52 EST
A buffer overflow flaw has been found in the OptiPNG -- PNG image optimizer.
This flaw is caused due to an boundary error in the BMP image reader, 
responsible for handling BMP images. Local unprivileged user could
use this flaw to execure arbitary code via providing a specially crafted
BMP image file to the optimizer.

Affected OptinPNG versions: all prior to 0.6.2

References:
http://sourceforge.net/project/shownotes.php?release_id=639631&group_id=151404
http://secunia.com/Advisories/32651/
http://www.frsirt.com/english/advisories/2008/3108/references
http://optipng.sourceforge.net/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505399

Proposed solution:
Upgrade to OptiPNG 0.6.2 or apply security patch against 0.6.1 version
available at:
http://prdownloads.sourceforge.net/optipng/optipng-0.6.1.1.diff?download
Comment 1 Till Maas 2008-11-12 07:38:42 EST
An update to 0.6.2 for F10 has been build, inclusion into F10 Everything has been requested here:
https://fedorahosted.org/rel-eng/ticket/1039
Comment 2 Fedora Update System 2008-11-12 08:00:48 EST
optipng-0.6.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/optipng-0.6.2-1.fc9
Comment 3 Fedora Update System 2008-11-12 08:02:09 EST
optipng-0.6.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/optipng-0.6.2-1.fc8
Comment 4 Till Maas 2008-11-12 08:05:25 EST
Also new build for devel (F11) was created:
http://koji.fedoraproject.org/koji/taskinfo?taskID=928360

And so was a new build for EPEL 5:
http://buildsys.fedoraproject.org/logs/fedora-5-epel/736-optipng-0.6.2-1.el5/

I also sent an e-mail to epel_signers-members at fp.o to request that the build is moved to EPEL stable.
Comment 5 Fedora Update System 2008-11-12 22:37:07 EST
optipng-0.6.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-11-12 22:37:48 EST
optipng-0.6.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Ville Skyttä 2008-11-14 10:31:55 EST
Huh, scop@xemacs.org, where did that e-mail address come from?  It is one of my email addresses but I had no idea there was a Bugzilla account with that address and I don't use it in Fedora context.

Jan, based on the bug history, looks like the address was added to Cc by you, could you shed some light on this?  My FAS username is scop, but @xemacs.org is not configured as my address there (and that's correct).
Comment 8 Ville Skyttä 2008-11-14 10:33:32 EST
(And in case you're wondering, I received mails for all these comments today, the xemacs.org mail system is known to be somewhat slow.)
Comment 9 Jan Lieskovsky 2008-11-14 10:47:13 EST
Hello Ville, was searching Google for record of "your name" with combination
of "Fedora". This was working for me in the past and this is the way scop@xemacs.org came from. But now got the right way how to retrieve 
package maintainers contact information.

Thank you for pointing this out!
Comment 10 Ville Skyttä 2008-11-17 12:50:37 EST
Ah, I see, thanks for the info.  I wasn't aware that one could add non-Bugzilla-account email addresses to Cc nowadays and thought someone had registered an account with my @xemacs.org address.
Comment 11 Till Maas 2008-11-19 05:09:40 EST
Is it intended that this bug report is still in status "NEW"? I asked Bodhi to close the bug and normally it also sets the bug to status "MODIFIED" when an update is created. If Bodhi should have done the same for this bug, I will report a bug agains Bodhi.
Comment 12 Tomas Hoger 2008-11-19 12:28:47 EST
Bodhi has an intentional exception for 'Security Response' bugs, as they may affect other products besides Fedora as well.

Note You need to log in before you can comment on or make changes to this bug.