-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:009 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gif2png Date : January 14, 2011 Affected: 2009.0, 2010.0, 2010.1 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in gif2png: Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to execute arbitrary code via a long command-line argument, as demonstrated by a CGI program that launches gif2png (CVE-2009-5018). Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to cause a denial of service (application crash) or have unspecified other impact via a GIF file that contains many images, leading to long extensions such as .p100 for PNG output files, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018 (CVE-2010-4694). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5018 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: ad8928a60b604f88f26c2afc05af1b60 2009.0/i586/gif2png-2.5.1-4.1mdv2009.0.i586.rpm 5cfa8cf8ed1cee759d0483bd27d78a10 2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 001e10adb1f8d4e979161b5598ce757b 2009.0/x86_64/gif2png-2.5.1-4.1mdv2009.0.x86_64.rpm 5cfa8cf8ed1cee759d0483bd27d78a10 2009.0/SRPMS/gif2png-2.5.1-4.1mdv2009.0.src.rpm Mandriva Linux 2010.0: 0a4de7448cecc56c05e6cf6a08e85395 2010.0/i586/gif2png-2.5.1-6.1mdv2010.0.i586.rpm 2eb73d21b89309cf6a417d131c217a9e 2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: c25ad03c6914525e69544d064929c253 2010.0/x86_64/gif2png-2.5.1-6.1mdv2010.0.x86_64.rpm 2eb73d21b89309cf6a417d131c217a9e 2010.0/SRPMS/gif2png-2.5.1-6.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 351ca35a5a9869a1ea078fa61ae1bba4 2010.1/i586/gif2png-2.5.2-2.1mdv2010.2.i586.rpm 1288d1f24726c3cc4782ef30f120748d 2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 5486b74d0f270b32f042a056235d068e 2010.1/x86_64/gif2png-2.5.2-2.1mdv2010.2.x86_64.rpm 1288d1f24726c3cc4782ef30f120748d 2010.1/SRPMS/gif2png-2.5.2-2.1mdv2010.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNMIS7mqjQ0CJFipgRAidtAJsEtQoS77Bas6dy8hT7MQbYWdblsgCg8y4b UuFSb8f/D/p6vDh/EVqNxrk= =ZZYZ -----END PGP SIGNATURE-----