Red Hat Bugzilla – Bug 471206
CVE-2008-5101 OptiPNG: Buffer overflow in BMP image handling reader
Last modified: 2009-02-25 11:29:20 EST
A buffer overflow flaw has been found in the OptiPNG -- PNG image optimizer.
This flaw is caused due to an boundary error in the BMP image reader,
responsible for handling BMP images. Local unprivileged user could
use this flaw to execure arbitary code via providing a specially crafted
BMP image file to the optimizer.
Affected OptinPNG versions: all prior to 0.6.2
Upgrade to OptiPNG 0.6.2 or apply security patch against 0.6.1 version
An update to 0.6.2 for F10 has been build, inclusion into F10 Everything has been requested here:
optipng-0.6.2-1.fc9 has been submitted as an update for Fedora 9.
optipng-0.6.2-1.fc8 has been submitted as an update for Fedora 8.
Also new build for devel (F11) was created:
And so was a new build for EPEL 5:
I also sent an e-mail to epel_signers-members at fp.o to request that the build is moved to EPEL stable.
optipng-0.6.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
optipng-0.6.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Huh, email@example.com, where did that e-mail address come from? It is one of my email addresses but I had no idea there was a Bugzilla account with that address and I don't use it in Fedora context.
Jan, based on the bug history, looks like the address was added to Cc by you, could you shed some light on this? My FAS username is scop, but @xemacs.org is not configured as my address there (and that's correct).
(And in case you're wondering, I received mails for all these comments today, the xemacs.org mail system is known to be somewhat slow.)
Hello Ville, was searching Google for record of "your name" with combination
of "Fedora". This was working for me in the past and this is the way firstname.lastname@example.org came from. But now got the right way how to retrieve
package maintainers contact information.
Thank you for pointing this out!
Ah, I see, thanks for the info. I wasn't aware that one could add non-Bugzilla-account email addresses to Cc nowadays and thought someone had registered an account with my @xemacs.org address.
Is it intended that this bug report is still in status "NEW"? I asked Bodhi to close the bug and normally it also sets the bug to status "MODIFIED" when an update is created. If Bodhi should have done the same for this bug, I will report a bug agains Bodhi.
Bodhi has an intentional exception for 'Security Response' bugs, as they may affect other products besides Fedora as well.