Fedora 9 : optipng-0.6.2-1.fc9 (2008-9633)

high Nessus Plugin ID 34760

Synopsis

The remote Fedora host is missing a security update.

Description

The main reason for this update is a buffer overflow that is removed in this version, that could be triggered by processing specially crafted bitmap images (*.bmp). Aggregated upstream changelog:
============================== ++ Put back a speed optimization, accidentally removed in version 0.6, allowing singleton trials (-o1) to be bypassed in certain conditions. !! Fixed an array overflow in the BMP reader. !! Fixed the loss of private chunks under the -snip option. + Produced a more concise on-screen output in the non-verbose mode. (Thanks to Vincent Lefevre for the suggestion.) * Added a programming interface to the optimization engine, in order to facilitate the development of PNG-optimizing GUI apps and plugins. ! Fixed processing when image reduction yields an output larger than the original. (Thanks to Michael Krishtopa for the report.) ! Fixed behavior of -preserve. (Thanks to Bill Koch for the report.)

- Removed displaying of partial progress when abandoning IDATs under the -v option. The percentages displayed were not very accurate. ++ Implemented grayscale(alpha)-to-palette reductions. ++ Improved conversion of bKGD info during RGB-to-palette reductions. (Thanks to Matthew Fearnley for the contribution.) !! Fixed conversion of bKGD and tRNS during 16-to-8-bit reductions. (Thanks to Matthew Fearnley for the report.) + Added support for compressed BMP (incl. PNG-compressed BMP, you bet!) + Improved the speed of reading raw PNM files. + Recognized PNG digital signatures (dSIG) and disabled optimization in their presence, to preserve their integrity. + Allowed the user to enforce the optimization of dSIG'ed files. + Recognized APNG animation files and disabled reductions to preserve their integrity. + Added the -snip option, to allow the user to 'snip' one image out of a multi-image file, such as animated GIF, multi-page TIFF, or APNG. (Thanks to [LaughingMan] for the suggestion.) + Improved recovery of PNG files with incomplete IDAT. ! Fixed behavior of -out and -dir when the input is already optimized. (Thanks to Christian Davideck for the report.) * Provided more detailed image information at the start of processing. * Provided a more detailed summary at the end of processing, under the presence of the -v option and/or the occurence of exceptional events.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected optipng package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=471206

http://www.nessus.org/u?3e8f8dc9

Plugin Details

Severity: High

ID: 34760

File Name: fedora_2008-9633.nasl

Version: 1.12

Type: local

Agent: unix

Published: 11/13/2008

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:optipng, cpe:/o:fedoraproject:fedora:9

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 11/13/2008

Reference Information

FEDORA: 2008-9633