Fedora Legacy Test Update Notification: libpng

Marc Deslauriers marcdeslauriers at videotron.ca
Sat Dec 18 19:18:34 UTC 2004 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2004-1943
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1943
2004-12-18
---------------------------------------------------------------------

Name         : libpng
7.3 Versions : libpng-1.0.15-0.7x.1.legacy
9 Versions   : libpng-1.2.2-20.2.legacy, libpng10-1.0.15-0.9.1.legacy
fc1 Versions : libpng-1.2.5-7.1.legacy, libpng10-1.0.15-7.1.legacy
Summary      : A library of functions for manipulating PNG image format
                files.
Description  :
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.

---------------------------------------------------------------------
Update Information:

Updated libpng packages that fix several issues are now available.

The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

During a source code audit, Chris Evans discovered several buffer
overflows in libpng. An attacker could create a carefully crafted PNG
file in such a way that it would cause an application linked with libpng
to execute arbitrary code when the file was opened by a victim. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0597 to these issues.

In addition, this audit discovered a potential NULL pointer dereference
in libpng (CAN-2004-0598) and several integer overflow issues
(CAN-2004-0599). An attacker could create a carefully crafted PNG file
in such a way that it would cause an application linked with libpng to
crash when the file was opened by the victim.

For users of Red Hat Linux 9 these packages also include a forgotten
patch for the out of bounds memory access flaw (CAN-2002-1363 and
CAN-2004-0768).

All users are advised to update to the updated libpng packages which
contain backported security patches and are not vulnerable to these
issues.

---------------------------------------------------------------------
Changelogs

rh73 libpng:
* Mon Oct 25 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0.7x.1.legacy
- Build for RH 7.x

* Fri Oct 22 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0
- Sync RH 9 libpng10 and RH 7.x libpng package specs

* Thu Oct 21 2004 Charles R. Anderson <cra at wpi.edu> 1.0.14-0.7x.8.legacy
- Use upstream security patch 1.2.5 that is recommended for use
   with release 1.0.14.
- Fix previous two changelog entry's formatting

* Thu Aug 12 2004 Dave Botsch <dwb7 at ccmr.cornell.edu>
- Added legacy keyword to release

* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.14-7
- Replace the patches for individual security problems with the
   cumulative patch issued by the png developers.

rh9 libpng:
* Wed Aug 04 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.2.2-20.2.legacy
- Replace the patches for individual security problems with the
   cumulative patch issued by the png developers.
   Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599.

* Fri Jun 18 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.2.2-20.1.legacy
- Added better version of the patch for CAN-2002-1363

rh9 libpng10:
* Mon Oct 25 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0.9.1.legacy
- Build for RH 9

* Fri Oct 22 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0
- Sync RH 9 libpng10 and RH 7.x libpng package specs

* Thu Oct 21 2004 Charles R. Anderson <cra at wpi.edu> 1.0.14-0.7x.8.legacy
- Use upstream security patch 1.2.5 that is recommended for use
   with release 1.0.14.
- Fix previous two changelog entry's formatting

* Thu Aug 12 2004 Dave Botsch <dwb7 at ccmr.cornell.edu>
- Added legacy keyword to release

* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.14-7
- Replace the patches for individual security problems with the
   cumulative patch issued by the png developers.

fc1 libpng:
* Mon Nov 29 2004 Rob Myers <rob.myers at gtri.gatech.edu> 2:1.2.5-7.1.legacy
- apply patch to limit dimensions (FL #1943)

* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 2:1.2.5-7
- Replace the patches for individual security problems with the
   cumulative patch issued by the png developers.

fc1 libpng10:
* Mon Nov 29 2004 Rob Myers <rob.myers at gtri.gatech.edu> 1.0.15-7.1.legacy
- apply patch to limit dimensions (FL #1943)

* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.15-7
- Replace the patches for individual security problems with the
   cumulative patch issued by the png developers.
- Build for FC1

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

7.3:
1c286b40e2ad76146a9a4480e9db26bc04aaadb7 
redhat/7.3/updates-testing/i386/libpng-1.0.15-0.7x.1.legacy.i386.rpm
0dc1beac1fa548eeb4d59fab754c4b42e05ff541 
redhat/7.3/updates-testing/i386/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm
e291de4ff9cfdb558b38722a12481c3807f21983 
redhat/7.3/updates-testing/SRPMS/libpng-1.0.15-0.7x.1.legacy.src.rpm

9:
d71f34a57a80386cdbe2bc9738f0e2b778c639e7 
redhat/9/updates-testing/i386/libpng10-1.0.15-0.9.1.legacy.i386.rpm
e89ca650e1839e4ad3155097cf6c70e239befe7c 
redhat/9/updates-testing/i386/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
90c20c26388d2a32fb84433bff3d3abcd7010425 
redhat/9/updates-testing/i386/libpng-1.2.2-20.2.legacy.i386.rpm
360acd84d0b7e8bdf7e3358d3235bc67c28b1ba8 
redhat/9/updates-testing/i386/libpng-devel-1.2.2-20.2.legacy.i386.rpm
cdd4dd5844581c8aa9b16e9738f9529f77a9804d 
redhat/9/updates-testing/SRPMS/libpng10-1.0.15-0.9.1.legacy.src.rpm
aacfc366fee56b0307be0afe1682cdca4160b2b2 
redhat/9/updates-testing/SRPMS/libpng-1.2.2-20.2.legacy.src.rpm

fc1:
0afca5b729899b1fedeed263ddd2ac7aa506eb5b 
fedora/1/updates-testing/i386/libpng10-1.0.15-7.1.legacy.i386.rpm
6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160 
fedora/1/updates-testing/i386/libpng10-devel-1.0.15-7.1.legacy.i386.rpm
8e28d39029ff88510d3899c2848273a76b6e71f4 
fedora/1/updates-testing/i386/libpng-1.2.5-7.1.legacy.i386.rpm
405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb 
fedora/1/updates-testing/i386/libpng-devel-1.2.5-7.1.legacy.i386.rpm
8c0ab7f220cfd7022f682772098d5efbd2811526 
fedora/1/updates-testing/SRPMS/libpng10-1.0.15-7.1.legacy.src.rpm
6a6643b6e1f01e6f8540f36e9a7518c44826a783 
fedora/1/updates-testing/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20041218/7dd859f7/attachment.sig>

More information about the fedora-legacy-list mailing list