--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1943 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1943 2004-12-18 ---------------------------------------------------------------------
Name : libpng
7.3 Versions : libpng-1.0.15-0.7x.1.legacy
9 Versions : libpng-1.2.2-20.2.legacy, libpng10-1.0.15-0.9.1.legacy
fc1 Versions : libpng-1.2.5-7.1.legacy, libpng10-1.0.15-7.1.legacy
Summary : A library of functions for manipulating PNG image format
files.
Description :
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.--------------------------------------------------------------------- Update Information:
The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files.
During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0597 to these issues.
In addition, this audit discovered a potential NULL pointer dereference in libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim.
For users of Red Hat Linux 9 these packages also include a forgotten patch for the out of bounds memory access flaw (CAN-2002-1363 and CAN-2004-0768).
All users are advised to update to the updated libpng packages which contain backported security patches and are not vulnerable to these issues.
--------------------------------------------------------------------- Changelogs
rh73 libpng: * Mon Oct 25 2004 Charles R. Anderson <cra wpi edu> 1.0.15-0.7x.1.legacy - Build for RH 7.x
* Fri Oct 22 2004 Charles R. Anderson <cra wpi edu> 1.0.15-0 - Sync RH 9 libpng10 and RH 7.x libpng package specs
* Thu Oct 21 2004 Charles R. Anderson <cra wpi edu> 1.0.14-0.7x.8.legacy - Use upstream security patch 1.2.5 that is recommended for use with release 1.0.14. - Fix previous two changelog entry's formatting
* Thu Aug 12 2004 Dave Botsch <dwb7 ccmr cornell edu> - Added legacy keyword to release
* Fri Jul 23 2004 Matthias Clasen <mclasen redhat com> 1.0.14-7 - Replace the patches for individual security problems with the cumulative patch issued by the png developers.
rh9 libpng10: * Mon Oct 25 2004 Charles R. Anderson <cra wpi edu> 1.0.15-0.9.1.legacy - Build for RH 9
* Fri Oct 22 2004 Charles R. Anderson <cra wpi edu> 1.0.15-0 - Sync RH 9 libpng10 and RH 7.x libpng package specs
* Thu Oct 21 2004 Charles R. Anderson <cra wpi edu> 1.0.14-0.7x.8.legacy - Use upstream security patch 1.2.5 that is recommended for use with release 1.0.14. - Fix previous two changelog entry's formatting
* Thu Aug 12 2004 Dave Botsch <dwb7 ccmr cornell edu> - Added legacy keyword to release
* Fri Jul 23 2004 Matthias Clasen <mclasen redhat com> 1.0.14-7 - Replace the patches for individual security problems with the cumulative patch issued by the png developers.
fc1 libpng: * Mon Nov 29 2004 Rob Myers <rob myers gtri gatech edu> 2:1.2.5-7.1.legacy - apply patch to limit dimensions (FL #1943)
* Fri Jul 23 2004 Matthias Clasen <mclasen redhat com> 2:1.2.5-7 - Replace the patches for individual security problems with the cumulative patch issued by the png developers.
fc1 libpng10: * Mon Nov 29 2004 Rob Myers <rob myers gtri gatech edu> 1.0.15-7.1.legacy - apply patch to limit dimensions (FL #1943)
* Fri Jul 23 2004 Matthias Clasen <mclasen redhat com> 1.0.15-7 - Replace the patches for individual security problems with the cumulative patch issued by the png developers. - Build for FC1
--------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums)
Attachment:
signature.asc
Description: OpenPGP digital signature