gif2png: Multiple vulnerabilities — GLSA 201203-15

Multiple vulnerabilities have been found in gif2png, the worst of which might allow execution of arbitrary code.

Affected packages

media-gfx/gif2png on all architectures
Affected versions < 2.5.8
Unaffected versions >= 2.5.8

Background

gif2png converts images from GIF format to PNG format.

Description

Two vulnerabilities have been found in gif2png:

  • A boundary error in gif2png.c could cause a buffer overflow (CVE-2010-4694).
  • The patch for CVE-2009-5018 causes gif2png to truncate GIF pathnames (CVE-2010-4695).

Impact

A remote attacker could entice a user to open a specially crafted GIF file, possibly resulting in execution of arbitrary code, a Denial of Service condition, or the creation of PNG files in unintended directories.

Workaround

There is no known workaround at this time.

Resolution

All gif2png users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/gif2png-2.5.8"
 

References

Release date
March 16, 2012

Latest revision
March 16, 2012: 1

Severity
normal

Exploitable
remote

Bugzilla entries