949958 – (CVE-2015-7801) VUL-0: CVE-2015-7801: optipng: Use-after-free

Bug 949958 (CVE-2015-7801) - VUL-0: CVE-2015-7801: optipng: Use-after-free

Summary: VUL-0: CVE-2015-7801: optipng: Use-after-free

Status:	RESOLVED INVALID

Alias:	CVE-2015-7801

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.2

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Petr Gajdos
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/157565/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-10-12 09:35 UTC by Andreas Stieger
Modified:	2015-10-12 12:07 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
reproducer image (139 bytes, image/png) 2015-10-12 09:35 UTC, Andreas Stieger	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-10-12 09:35:30 UTC

Created attachment 651149 [details]
reproducer image

http://seclists.org/oss-sec/2015/q3/556

use-after-free causing an invalid/double free in optipng 0.6.4.

    Processing: boom.png

    ==24844== Invalid read of size 4
    ==24844==  Address 0x4281a08 is 0 bytes inside a block of size 8 free'd
    ==24844==    at 0x402B3D8: free
    ==24844== Invalid free() / delete / delete[] / realloc()
    ==24844==    at 0x402B3D8: free

    

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1264015
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7801
http://seclists.org/oss-sec/2015/q4/55
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7801


This package is used in openQA.

Comment 1 Petr Gajdos 2015-10-12 12:07:47 UTC

I don't think we maintain optipng 0.6.4 anywhere.