A vulnerability has been reported in OptiPNG, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a use-after-free error related to the palette reduction functionality. No further information is currently available. Success exploitation may allow execution of arbitrary code. The vulnerability is reported in version 0.7, 0.7.1, and 0.7.2. Solution Update to version 0.7.3. Code commit: http://optipng.hg.sourceforge.net/hgweb/optipng/optipng/rev/f1d5d44670a2 Additional info: Version 0.6.5 and earlier are not affected.
The CVE identifier of CVE-2012-4432 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/09/18/2
This issue does NOT affect the version of the optipng package, as shipped with Fedora release of 17 (it got updated to optipng-0.7.3-1.fc17 version in -testing repository already, which contains the upstream patch). -- This issue did NOT affect the versions of the optipng package, as shipped with Fedora release of 16, Fedora EPEL 6 and Fedora EPEL 6 as they did not contain the vulnerable functionality yet.
References: https://bugs.gentoo.org/show_bug.cgi?id=435340 https://secunia.com/advisories/50654/