[gentoo-announce] [ GLSA 201605-03 ] libfpx: Denial of Service - gentoo-announce

From:	Yury German <blueknight@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201605-03 ] libfpx: Denial of Service
Date:	Mon, 30 May 2016 18:28:16
Message-Id:	`6f65be9a-8404-aef1-601a-f954da0abbe0@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201605-03

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: libfpx: Denial of Service

9

     Date: May 30, 2016

10

     Bugs: #395367

11

       ID: 201605-03

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A double free vulnerability has been discovered in libfpx that allows

19

remote attackers to cause a Denial of Service.

20

21

Background

22

==========

23

24

A library for manipulating FlashPIX images.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  media-libs/libfpx           < 1.3.1_p6               >= 1.3.1_p6

33

34

Description

35

===========

36

37

A double free vulnerability has been discovered in the Free_All_Memory

38

function in jpeg/dectile.c.

39

40

Impact

41

======

42

43

A remote attacker could entice a user to open a specially crafted FPX

44

image using an application linked against libfpx, possibly resulting in

45

a Denial of Service condition.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All libfpx users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=media-libs/libfpx-1.3.1_p6"

59

60

Packages which depend on this library may need to be recompiled. Tools

61

such as revdep-rebuild may assist in identifying these packages.

62

63

References

64

==========

65

66

[ 1 ] CVE-2012-0025

67

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0025

68

69

Availability

70

============

71

72

This GLSA and any updates to it are available for viewing at

73

the Gentoo Security Website:

74

75

 https://security.gentoo.org/glsa/201605-03

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users' machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

https://bugs.gentoo.org.

85

86

License

87

=======

88

89

Copyright 2016 Gentoo Foundation, Inc; referenced text

90

belongs to its owner(s).

91

92

The contents of this document are licensed under the

93

Creative Commons - Attribution / Share Alike license.

94

95

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201605-03
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: libfpx: Denial of Service
9	Date: May 30, 2016
10	Bugs: #395367
11	ID: 201605-03
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A double free vulnerability has been discovered in libfpx that allows
19	remote attackers to cause a Denial of Service.
20
21	Background
22	==========
23
24	A library for manipulating FlashPIX images.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 media-libs/libfpx < 1.3.1_p6 >= 1.3.1_p6
33
34	Description
35	===========
36
37	A double free vulnerability has been discovered in the Free_All_Memory
38	function in jpeg/dectile.c.
39
40	Impact
41	======
42
43	A remote attacker could entice a user to open a specially crafted FPX
44	image using an application linked against libfpx, possibly resulting in
45	a Denial of Service condition.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All libfpx users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=media-libs/libfpx-1.3.1_p6"
59
60	Packages which depend on this library may need to be recompiled. Tools
61	such as revdep-rebuild may assist in identifying these packages.
62
63	References
64	==========
65
66	[ 1 ] CVE-2012-0025
67	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0025
68
69	Availability
70	============
71
72	This GLSA and any updates to it are available for viewing at
73	the Gentoo Security Website:
74
75	https://security.gentoo.org/glsa/201605-03
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users' machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	https://bugs.gentoo.org.
85
86	License
87	=======
88
89	Copyright 2016 Gentoo Foundation, Inc; referenced text
90	belongs to its owner(s).
91
92	The contents of this document are licensed under the
93	Creative Commons - Attribution / Share Alike license.
94
95	http://creativecommons.org/licenses/by-sa/2.5