[gentoo-announce] [ GLSA 201408-06 ] libpng: Multiple vulnerabilities - gentoo-announce

From:	Mikle Kolyada <zlogene@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201408-06 ] libpng: Multiple vulnerabilities
Date:	Thu, 14 Aug 2014 14:33:46
Message-Id:	`53ECC812.7050906@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201408-06

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: libpng: Multiple vulnerabilities

9

     Date: August 14, 2014

10

     Bugs: #503014, #507378

11

       ID: 201408-06

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in libpng which can allow

19

a remote attacker to cause a Denial of Service condition.

20

21

Background

22

==========

23

24

libpng is a standard library used to process PNG (Portable Network

25

Graphics) images. It is used by several programs, including web

26

browsers and potentially server processes.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  media-libs/libpng            < 1.6.10                  >= 1.6.10 

35

                                                                < 1.3 

36

                                                           *>= 1.5.18 

37

38

Description

39

===========

40

41

The png_push_read_chunk function in pngpread.c in the progressive

42

decoder enters an infinite loop, when it encounters a zero-length IDAT

43

chunk. In addition certain integer overflows have been detected and

44

corrected.

45

46

The 1.2 branch is not affected by these vulnerabilities.

47

48

Impact

49

======

50

51

A remote attacker could entice a user to open a specially crafted PNG

52

file using an application linked against libpng, possibly resulting in

53

Denial of Service.

54

55

Workaround

56

==========

57

58

There is no known workaround at this time.

59

60

Resolution

61

==========

62

63

All libpng users should upgrade to the latest version:

64

65

  # emerge --sync

66

  # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.6.10"

67

68

Users with current installs in the 1.5 branch should also upgrade this

69

using:

70

  # emerge --sync

71

  # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.5.18:1.5"

72

73

Packages which depend on this library may need to be recompiled. Tools

74

such as revdep-rebuild may assist in identifying these packages.

75

76

References

77

==========

78

79

[ 1 ] CVE-2013-7353

80

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7353

81

[ 2 ] CVE-2013-7354

82

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7354

83

[ 3 ] CVE-2014-0333

84

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0333

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

 http://security.gentoo.org/glsa/glsa-201408-06.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users' machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

https://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2014 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201408-06
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: libpng: Multiple vulnerabilities
9	Date: August 14, 2014
10	Bugs: #503014, #507378
11	ID: 201408-06
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in libpng which can allow
19	a remote attacker to cause a Denial of Service condition.
20
21	Background
22	==========
23
24	libpng is a standard library used to process PNG (Portable Network
25	Graphics) images. It is used by several programs, including web
26	browsers and potentially server processes.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 media-libs/libpng < 1.6.10 >= 1.6.10
35	< 1.3
36	*>= 1.5.18
37
38	Description
39	===========
40
41	The png_push_read_chunk function in pngpread.c in the progressive
42	decoder enters an infinite loop, when it encounters a zero-length IDAT
43	chunk. In addition certain integer overflows have been detected and
44	corrected.
45
46	The 1.2 branch is not affected by these vulnerabilities.
47
48	Impact
49	======
50
51	A remote attacker could entice a user to open a specially crafted PNG
52	file using an application linked against libpng, possibly resulting in
53	Denial of Service.
54
55	Workaround
56	==========
57
58	There is no known workaround at this time.
59
60	Resolution
61	==========
62
63	All libpng users should upgrade to the latest version:
64
65	# emerge --sync
66	# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.6.10"
67
68	Users with current installs in the 1.5 branch should also upgrade this
69	using:
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.5.18:1.5"
72
73	Packages which depend on this library may need to be recompiled. Tools
74	such as revdep-rebuild may assist in identifying these packages.
75
76	References
77	==========
78
79	[ 1 ] CVE-2013-7353
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7353
81	[ 2 ] CVE-2013-7354
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7354
83	[ 3 ] CVE-2014-0333
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0333
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-201408-06.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users' machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	https://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2014 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/2.5