[gentoo-announce] [ GLSA 200405-06 ] libpng denial of service vulnerability - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 200405-06 ] libpng denial of service vulnerability
Date:	Fri, 14 May 2004 20:16:38
Message-Id:	`40A528B8.4070305@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200405-06

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: libpng denial of service vulnerability

12

      Date: May 14, 2004

13

      Bugs: #49887

14

        ID: 200405-06

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

A bug in the libpng library can be abused to crash programs making use

22

of that library to decode PNG images.

23

24

Background

25

==========

26

27

libpng is a standard library used to process PNG (Portable Network

28

Graphics) images.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package            /   Vulnerable   /                  Unaffected

35

    -------------------------------------------------------------------

36

  1  media-libs/libpng      <= 1.2.5-r4                    >= 1.2.5-r5

37

38

Description

39

===========

40

41

libpng provides two functions (png_chunk_error and png_chunk_warning)

42

for default error and warning messages handling. These functions do not

43

perform proper bounds checking on the provided message, which is

44

limited to 64 bytes. Programs linked against this library may crash

45

when handling a malicious PNG image.

46

47

Impact

48

======

49

50

This vulnerability could be used to crash various programs using the

51

libpng library, potentially resulting in a denial of service attack on

52

vulnerable daemon processes.

53

54

Workaround

55

==========

56

57

There is no known workaround at this time. All users are advised to

58

upgrade to the latest available version of libpng.

59

60

Resolution

61

==========

62

63

All users of libpng should upgrade to the latest stable version:

64

65

    # emerge sync

66

67

    # emerge -pv ">=media-libs/libpng-1.2.5-r5"

68

    # emerge ">=media-libs/libpng-1.2.5-r5"

69

70

You should also run revdep-rebuild to rebuild any packages that depend

71

on older versions of libpng :

72

73

    # revdep-rebuild

74

75

References

76

==========

77

78

  [ 1 ] CAN-2004-0421

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421

80

81

Availability

82

============

83

84

This GLSA and any updates to it are available for viewing at

85

the Gentoo Security Website:

86

87

     http://security.gentoo.org/glsa/glsa-200405-06.xml

88

89

Concerns?

90

=========

91

92

Security is a primary focus of Gentoo Linux and ensuring the

93

confidentiality and security of our users machines is of utmost

94

importance to us. Any security concerns should be addressed to

95

security@g.o or alternatively, you may file a bug at

96

http://bugs.gentoo.org.

97

98

License

99

=======

100

101

Copyright 2004 Gentoo Technologies, Inc; referenced text

102

belongs to its owner(s).

103

104

The contents of this document are licensed under the

105

Creative Commons - Attribution / Share Alike license.

106

107

http://creativecommons.org/licenses/by-sa/1.0

108

109

-----BEGIN PGP SIGNATURE-----

110

Version: GnuPG v1.2.4 (GNU/Linux)

111

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

112

113

iD8DBQFApSi3vcL1obalX08RAkIkAKCp2IIUHRycJ6IgSGuXl7drtGu+fgCfWb49

114

l/eaSvZlK4R5nm+OtlnM4ys=

115

=KFv5

116

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200405-06
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: libpng denial of service vulnerability
12	Date: May 14, 2004
13	Bugs: #49887
14	ID: 200405-06
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	A bug in the libpng library can be abused to crash programs making use
22	of that library to decode PNG images.
23
24	Background
25	==========
26
27	libpng is a standard library used to process PNG (Portable Network
28	Graphics) images.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 media-libs/libpng <= 1.2.5-r4 >= 1.2.5-r5
37
38	Description
39	===========
40
41	libpng provides two functions (png_chunk_error and png_chunk_warning)
42	for default error and warning messages handling. These functions do not
43	perform proper bounds checking on the provided message, which is
44	limited to 64 bytes. Programs linked against this library may crash
45	when handling a malicious PNG image.
46
47	Impact
48	======
49
50	This vulnerability could be used to crash various programs using the
51	libpng library, potentially resulting in a denial of service attack on
52	vulnerable daemon processes.
53
54	Workaround
55	==========
56
57	There is no known workaround at this time. All users are advised to
58	upgrade to the latest available version of libpng.
59
60	Resolution
61	==========
62
63	All users of libpng should upgrade to the latest stable version:
64
65	# emerge sync
66
67	# emerge -pv ">=media-libs/libpng-1.2.5-r5"
68	# emerge ">=media-libs/libpng-1.2.5-r5"
69
70	You should also run revdep-rebuild to rebuild any packages that depend
71	on older versions of libpng :
72
73	# revdep-rebuild
74
75	References
76	==========
77
78	[ 1 ] CAN-2004-0421
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421
80
81	Availability
82	============
83
84	This GLSA and any updates to it are available for viewing at
85	the Gentoo Security Website:
86
87	http://security.gentoo.org/glsa/glsa-200405-06.xml
88
89	Concerns?
90	=========
91
92	Security is a primary focus of Gentoo Linux and ensuring the
93	confidentiality and security of our users machines is of utmost
94	importance to us. Any security concerns should be addressed to
95	security@g.o or alternatively, you may file a bug at
96	http://bugs.gentoo.org.
97
98	License
99	=======
100
101	Copyright 2004 Gentoo Technologies, Inc; referenced text
102	belongs to its owner(s).
103
104	The contents of this document are licensed under the
105	Creative Commons - Attribution / Share Alike license.
106
107	http://creativecommons.org/licenses/by-sa/1.0
108
109	-----BEGIN PGP SIGNATURE-----
110	Version: GnuPG v1.2.4 (GNU/Linux)
111	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
112
113	iD8DBQFApSi3vcL1obalX08RAkIkAKCp2IIUHRycJ6IgSGuXl7drtGu+fgCfWb49
114	l/eaSvZlK4R5nm+OtlnM4ys=
115	=KFv5
116	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce