Fedora Legacy Test Update Notification: libpng
Marc Deslauriers
marcdeslauriers at videotron.ca
Sat Dec 18 19:18:34 UTC 2004
---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2004-1943
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1943
2004-12-18
---------------------------------------------------------------------
Name : libpng
7.3 Versions : libpng-1.0.15-0.7x.1.legacy
9 Versions : libpng-1.2.2-20.2.legacy, libpng10-1.0.15-0.9.1.legacy
fc1 Versions : libpng-1.2.5-7.1.legacy, libpng10-1.0.15-7.1.legacy
Summary : A library of functions for manipulating PNG image format
files.
Description :
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.
---------------------------------------------------------------------
Update Information:
Updated libpng packages that fix several issues are now available.
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.
During a source code audit, Chris Evans discovered several buffer
overflows in libpng. An attacker could create a carefully crafted PNG
file in such a way that it would cause an application linked with libpng
to execute arbitrary code when the file was opened by a victim. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0597 to these issues.
In addition, this audit discovered a potential NULL pointer dereference
in libpng (CAN-2004-0598) and several integer overflow issues
(CAN-2004-0599). An attacker could create a carefully crafted PNG file
in such a way that it would cause an application linked with libpng to
crash when the file was opened by the victim.
For users of Red Hat Linux 9 these packages also include a forgotten
patch for the out of bounds memory access flaw (CAN-2002-1363 and
CAN-2004-0768).
All users are advised to update to the updated libpng packages which
contain backported security patches and are not vulnerable to these
issues.
---------------------------------------------------------------------
Changelogs
rh73 libpng:
* Mon Oct 25 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0.7x.1.legacy
- Build for RH 7.x
* Fri Oct 22 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0
- Sync RH 9 libpng10 and RH 7.x libpng package specs
* Thu Oct 21 2004 Charles R. Anderson <cra at wpi.edu> 1.0.14-0.7x.8.legacy
- Use upstream security patch 1.2.5 that is recommended for use
with release 1.0.14.
- Fix previous two changelog entry's formatting
* Thu Aug 12 2004 Dave Botsch <dwb7 at ccmr.cornell.edu>
- Added legacy keyword to release
* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.14-7
- Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
rh9 libpng:
* Wed Aug 04 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.2.2-20.2.legacy
- Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599.
* Fri Jun 18 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.2.2-20.1.legacy
- Added better version of the patch for CAN-2002-1363
rh9 libpng10:
* Mon Oct 25 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0.9.1.legacy
- Build for RH 9
* Fri Oct 22 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0
- Sync RH 9 libpng10 and RH 7.x libpng package specs
* Thu Oct 21 2004 Charles R. Anderson <cra at wpi.edu> 1.0.14-0.7x.8.legacy
- Use upstream security patch 1.2.5 that is recommended for use
with release 1.0.14.
- Fix previous two changelog entry's formatting
* Thu Aug 12 2004 Dave Botsch <dwb7 at ccmr.cornell.edu>
- Added legacy keyword to release
* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.14-7
- Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
fc1 libpng:
* Mon Nov 29 2004 Rob Myers <rob.myers at gtri.gatech.edu> 2:1.2.5-7.1.legacy
- apply patch to limit dimensions (FL #1943)
* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 2:1.2.5-7
- Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
fc1 libpng10:
* Mon Nov 29 2004 Rob Myers <rob.myers at gtri.gatech.edu> 1.0.15-7.1.legacy
- apply patch to limit dimensions (FL #1943)
* Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.15-7
- Replace the patches for individual security problems with the
cumulative patch issued by the png developers.
- Build for FC1
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedoralegacy.org/
(sha1sums)
7.3:
1c286b40e2ad76146a9a4480e9db26bc04aaadb7
redhat/7.3/updates-testing/i386/libpng-1.0.15-0.7x.1.legacy.i386.rpm
0dc1beac1fa548eeb4d59fab754c4b42e05ff541
redhat/7.3/updates-testing/i386/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm
e291de4ff9cfdb558b38722a12481c3807f21983
redhat/7.3/updates-testing/SRPMS/libpng-1.0.15-0.7x.1.legacy.src.rpm
9:
d71f34a57a80386cdbe2bc9738f0e2b778c639e7
redhat/9/updates-testing/i386/libpng10-1.0.15-0.9.1.legacy.i386.rpm
e89ca650e1839e4ad3155097cf6c70e239befe7c
redhat/9/updates-testing/i386/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
90c20c26388d2a32fb84433bff3d3abcd7010425
redhat/9/updates-testing/i386/libpng-1.2.2-20.2.legacy.i386.rpm
360acd84d0b7e8bdf7e3358d3235bc67c28b1ba8
redhat/9/updates-testing/i386/libpng-devel-1.2.2-20.2.legacy.i386.rpm
cdd4dd5844581c8aa9b16e9738f9529f77a9804d
redhat/9/updates-testing/SRPMS/libpng10-1.0.15-0.9.1.legacy.src.rpm
aacfc366fee56b0307be0afe1682cdca4160b2b2
redhat/9/updates-testing/SRPMS/libpng-1.2.2-20.2.legacy.src.rpm
fc1:
0afca5b729899b1fedeed263ddd2ac7aa506eb5b
fedora/1/updates-testing/i386/libpng10-1.0.15-7.1.legacy.i386.rpm
6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160
fedora/1/updates-testing/i386/libpng10-devel-1.0.15-7.1.legacy.i386.rpm
8e28d39029ff88510d3899c2848273a76b6e71f4
fedora/1/updates-testing/i386/libpng-1.2.5-7.1.legacy.i386.rpm
405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb
fedora/1/updates-testing/i386/libpng-devel-1.2.5-7.1.legacy.i386.rpm
8c0ab7f220cfd7022f682772098d5efbd2811526
fedora/1/updates-testing/SRPMS/libpng10-1.0.15-7.1.legacy.src.rpm
6a6643b6e1f01e6f8540f36e9a7518c44826a783
fedora/1/updates-testing/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm
---------------------------------------------------------------------
Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20041218/7dd859f7/attachment.sig>
More information about the fedora-legacy-list
mailing list