oss-security - CVE Request -- OptiPNG

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-Id: <1226490125.3536.12.camel@dhcp-lab-164.englab.brq.redhat.com>
Date: Wed, 12 Nov 2008 12:42:05 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...re.org>
Cc: oss-security@...ts.openwall.com
Subject: CVE Request -- OptiPNG

Hello Steve,

  OptiPNG upstream has released new version, fixing between others
one security issue -- buffer overflow present in reader responsible
for BMP images handling.

References:
http://sourceforge.net/project/shownotes.php?release_id=639631&group_id=151404
http://secunia.com/Advisories/32651/
http://www.frsirt.com/english/advisories/2008/3108/references
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505399
http://optipng.sourceforge.net/

Affected versions: all prior to prior to 0.6.2. (from Secunia advisory)

Proposed solution:

Upgrade to 0.6.2 or security patch against 0.6.1 available at:
http://prdownloads.sourceforge.net/optipng/optipng-0.6.1.1.diff?download

Impact: arbitrary code execution (from Secunia advisory)

Could you please allocate a new CVE id for this issue?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.