Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-0749

Use-after-free vulnerability in the GIFReadNextExtension function in lib/pngxtern/gif/gifread.c in OptiPNG 0.6.2 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted GIF image that causes the realloc function to return a new pointer, which triggers memory corruption when the old pointer is accessed.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.8, requiring local system access to exploit with relatively low complexity though user interaction is required and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 3 products from optipng_project, from opensuse, from suse organizations running these solutions should prioritize assessment and patching.

Historical Context

Originally identified in 2009, this vulnerability predates many modern security frameworks and practices. The vulnerability landscape of that era was characterized by different threat models and less mature defense mechanisms compared to contemporary standards.

Published

2009-03-02T20:30:00.217

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

10.0

Weaknesses

Type: Primary
CWE-416

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	optipng_project	optipng	≤ 0.6.2	Yes
Operating System	opensuse	opensuse	≤ 11.1	Yes
Operating System	suse	linux_enterprise	9-11	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html Mailing List ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html Mailing List ([email protected])
http://optipng.sourceforge.net Product ([email protected])
http://secunia.com/advisories/34035 Broken Link, Vendor Advisory ([email protected])
http://secunia.com/advisories/34201 Broken Link ([email protected])
http://secunia.com/advisories/34259 Broken Link ([email protected])
http://secunia.com/advisories/35685 Broken Link ([email protected])
http://sourceforge.net/tracker/index.php?func=detail&aid=2582013&group_id=151404&atid=780913 Issue Tracking ([email protected])
http://www.gentoo.org/security/en/glsa/glsa-200903-12.xml Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2009/02/24/2 Mailing List ([email protected])
http://www.openwall.com/lists/oss-security/2009/02/25/4 Mailing List ([email protected])
http://www.securityfocus.com/bid/33873 Broken Link, Patch, Third Party Advisory, VDB Entry ([email protected])
http://www.vupen.com/english/advisories/2009/0510 Broken Link, Patch, Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/48879 Third Party Advisory, VDB Entry ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://optipng.sourceforge.net Product (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/34035 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/34201 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/34259 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35685 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://sourceforge.net/tracker/index.php?func=detail&aid=2582013&group_id=151404&atid=780913 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
http://www.gentoo.org/security/en/glsa/glsa-200903-12.xml Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2009/02/24/2 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2009/02/25/4 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/33873 Broken Link, Patch, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/0510 Broken Link, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/48879 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For optipng_project's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.