[gentoo-announce] [ GLSA 200408-03 ] libpng: Numerous vulnerabilities - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200408-03 ] libpng: Numerous vulnerabilities
Date:	Thu, 05 Aug 2004 12:03:26
Message-Id:	`200408051358.59570.jaervosz@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200408-03

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: libpng: Numerous vulnerabilities

12

      Date: August 05, 2004

13

      Bugs: #59424

14

        ID: 200408-03

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

libpng contains numerous vulnerabilities potentially allowing an

22

attacker to perform a Denial of Service attack or even execute

23

arbitrary code.

24

25

Background

26

==========

27

28

libpng is a standard library used to process PNG (Portable Network

29

Graphics) images. It is used by several other programs, including web

30

browsers and potentially server processes.

31

32

Affected packages

33

=================

34

35

    -------------------------------------------------------------------

36

     Package            /   Vulnerable   /                  Unaffected

37

    -------------------------------------------------------------------

38

  1  media-libs/libpng      <= 1.2.5-r7                    >= 1.2.5-r8

39

40

Description

41

===========

42

43

libpng contains numerous vulnerabilities including null pointer

44

dereference errors and boundary errors in various functions.

45

46

Impact

47

======

48

49

An attacker could exploit these vulnerabilities to cause programs

50

linked against the library to crash or execute arbitrary code with the

51

permissions of the user running the vulnerable program, which could be

52

the root user.

53

54

Workaround

55

==========

56

57

There is no known workaround at this time. All users are encouraged to

58

upgrade to the latest available version.

59

60

Resolution

61

==========

62

63

All libpng users should upgrade to the latest stable version:

64

65

    # emerge sync

66

67

    # emerge -pv ">=media-libs/libpng-1.2.5-r8"

68

    # emerge ">=media-libs/libpng-1.2.5-r8"

69

70

You should also run revdep-rebuild to rebuild any packages that depend

71

on older versions of libpng :

72

73

    # revdep-rebuild

74

75

References

76

==========

77

78

  [ 1 ] CAN-2004-0597

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

80

  [ 2 ] CAN-2004-0598

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598

82

  [ 3 ] CAN-2004-0599

83

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

    http://security.gentoo.org/glsa/glsa-200408-03.xml

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

http://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2004 Gentoo Foundation, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/1.0

112

-----BEGIN PGP SIGNATURE-----

113

Version: GnuPG v1.2.4 (GNU/Linux)

114

115

iD8DBQFBEiDEzKC5hMHO6rkRArWQAJ9tGcHpudcqkfWyvi041+B9ticNDwCff+6c

116

gV6Jd15qu3lxxWneLJn1Ev4=

117

=WtCw

118

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200408-03
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: libpng: Numerous vulnerabilities
12	Date: August 05, 2004
13	Bugs: #59424
14	ID: 200408-03
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	libpng contains numerous vulnerabilities potentially allowing an
22	attacker to perform a Denial of Service attack or even execute
23	arbitrary code.
24
25	Background
26	==========
27
28	libpng is a standard library used to process PNG (Portable Network
29	Graphics) images. It is used by several other programs, including web
30	browsers and potentially server processes.
31
32	Affected packages
33	=================
34
35	-------------------------------------------------------------------
36	Package / Vulnerable / Unaffected
37	-------------------------------------------------------------------
38	1 media-libs/libpng <= 1.2.5-r7 >= 1.2.5-r8
39
40	Description
41	===========
42
43	libpng contains numerous vulnerabilities including null pointer
44	dereference errors and boundary errors in various functions.
45
46	Impact
47	======
48
49	An attacker could exploit these vulnerabilities to cause programs
50	linked against the library to crash or execute arbitrary code with the
51	permissions of the user running the vulnerable program, which could be
52	the root user.
53
54	Workaround
55	==========
56
57	There is no known workaround at this time. All users are encouraged to
58	upgrade to the latest available version.
59
60	Resolution
61	==========
62
63	All libpng users should upgrade to the latest stable version:
64
65	# emerge sync
66
67	# emerge -pv ">=media-libs/libpng-1.2.5-r8"
68	# emerge ">=media-libs/libpng-1.2.5-r8"
69
70	You should also run revdep-rebuild to rebuild any packages that depend
71	on older versions of libpng :
72
73	# revdep-rebuild
74
75	References
76	==========
77
78	[ 1 ] CAN-2004-0597
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
80	[ 2 ] CAN-2004-0598
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
82	[ 3 ] CAN-2004-0599
83	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	http://security.gentoo.org/glsa/glsa-200408-03.xml
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	http://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2004 Gentoo Foundation, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/1.0
112	-----BEGIN PGP SIGNATURE-----
113	Version: GnuPG v1.2.4 (GNU/Linux)
114
115	iD8DBQFBEiDEzKC5hMHO6rkRArWQAJ9tGcHpudcqkfWyvi041+B9ticNDwCff+6c
116	gV6Jd15qu3lxxWneLJn1Ev4=
117	=WtCw
118	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce