BugTraq
[ MDVSA-2010:064 ] libpng Mar 23 2010 12:57PM
security mandriva com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:064
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libpng
Date : March 23, 2010
Affected: 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A vulnerability has been found and corrected in libpng:

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before
1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly
handle compressed ancillary-chunk data that has a disproportionately
large uncompressed representation, which allows remote attackers to
cause a denial of service (memory and CPU consumption, and application
hang) via a crafted PNG file, as demonstrated by use of the deflate
compression method on data composed of many occurrences of the same
character, related to a decompression bomb attack (CVE-2010-0205).

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
e0f5c5c179b1224d99f6b16b718069b1 2009.0/i586/libpng3-1.2.31-2.2mdv2009.0.i586.rpm
5e5e6ec06e5d5997d82b1780c6e364e1 2009.0/i586/libpng-devel-1.2.31-2.2mdv2009.0.i586.rpm
48c2108e471923710e8ac01d7984df3a 2009.0/i586/libpng-source-1.2.31-2.2mdv2009.0.i586.rpm
24e60615f07e3310091b96db44821b55 2009.0/i586/libpng-static-devel-1.2.31-2.2mdv2009.0.i586.rpm
148ad37542ef79c0ed97be519be0478d 2009.0/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
0a76c1bbd16c3ff1e23027aeba6dbb70 2009.0/x86_64/lib64png3-1.2.31-2.2mdv2009.0.x86_64.rpm
8e01630ee7eb85327dc226632b535ffd 2009.0/x86_64/lib64png-devel-1.2.31-2.2mdv2009.0.x86_64.rpm
ed2d30ab62de27e52052fc2bd5958540 2009.0/x86_64/lib64png-static-devel-1.2.31-2.2mdv2009.0.x86_64.rpm
363e0b340727539dab6765b89660fb43 2009.0/x86_64/libpng-source-1.2.31-2.2mdv2009.0.x86_64.rpm
148ad37542ef79c0ed97be519be0478d 2009.0/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm

Mandriva Linux 2009.1:
eb835d104959137d6ca68071e8f55fc6 2009.1/i586/libpng3-1.2.35-1.1mdv2009.1.i586.rpm
c0154024cdcfa2d9fb221e2f4483546c 2009.1/i586/libpng-devel-1.2.35-1.1mdv2009.1.i586.rpm
22ec75a046bd10bfa69afa223e651357 2009.1/i586/libpng-source-1.2.35-1.1mdv2009.1.i586.rpm
2ddcfacf2b6dfa6bf873ffb49bbec43e 2009.1/i586/libpng-static-devel-1.2.35-1.1mdv2009.1.i586.rpm
d28bd0a3c425381e441c0c1d4202ee3d 2009.1/SRPMS/libpng-1.2.35-1.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
c9eec8bdd1b1a2aea33a9e5f8dfdc05e 2009.1/x86_64/lib64png3-1.2.35-1.1mdv2009.1.x86_64.rpm
36436b03497287eefe7011cfc4b69ab5 2009.1/x86_64/lib64png-devel-1.2.35-1.1mdv2009.1.x86_64.rpm
810be607e4dcc0c1e6157dd0281b3122 2009.1/x86_64/lib64png-static-devel-1.2.35-1.1mdv2009.1.x86_64.rpm
948e22de64093275c10dbd781cde02ed 2009.1/x86_64/libpng-source-1.2.35-1.1mdv2009.1.x86_64.rpm
d28bd0a3c425381e441c0c1d4202ee3d 2009.1/SRPMS/libpng-1.2.35-1.1mdv2009.1.src.rpm

Mandriva Linux 2010.0:
50a03f5191cc9383c09ef152fa6ebb8c 2010.0/i586/libpng3-1.2.40-1.1mdv2010.0.i586.rpm
6a528114a5d5cf86c684a179f5ee36b8 2010.0/i586/libpng-devel-1.2.40-1.1mdv2010.0.i586.rpm
9a1154491d80af5ced9a02e37947bf2c 2010.0/i586/libpng-source-1.2.40-1.1mdv2010.0.i586.rpm
fb0671ad70f8202f32c7566d08070a8c 2010.0/i586/libpng-static-devel-1.2.40-1.1mdv2010.0.i586.rpm
5911cb03cac15875905c17214463ab65 2010.0/SRPMS/libpng-1.2.40-1.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
08e10e44a82ca8df8c6586bf07d3b6ce 2010.0/x86_64/lib64png3-1.2.40-1.1mdv2010.0.x86_64.rpm
224425aa77a35bd3233c89613562fe7e 2010.0/x86_64/lib64png-devel-1.2.40-1.1mdv2010.0.x86_64.rpm
2682dae8ecdb43af20aadea093d3f03d 2010.0/x86_64/lib64png-static-devel-1.2.40-1.1mdv2010.0.x86_64.rpm
be6b483916a098489e41d13bf2f98d63 2010.0/x86_64/libpng-source-1.2.40-1.1mdv2010.0.x86_64.rpm
5911cb03cac15875905c17214463ab65 2010.0/SRPMS/libpng-1.2.40-1.1mdv2010.0.src.rpm

Mandriva Enterprise Server 5:
cb7196e7825b553e2414b76e236abf36 mes5/i586/libpng3-1.2.31-2.2mdvmes5.i586.rpm
909211c1ac708b89b790e75261ac27b4 mes5/i586/libpng-devel-1.2.31-2.2mdvmes5.i586.rpm
5216e2e783fee0043ccf34c84db096fd mes5/i586/libpng-source-1.2.31-2.2mdvmes5.i586.rpm
321d36768502ddfb1b90086b6204a670 mes5/i586/libpng-static-devel-1.2.31-2.2mdvmes5.i586.rpm
b2e5c72d1cc33ec0e53b36a590cafa35 mes5/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm

Mandriva Enterprise Server 5/X86_64:
457da1eac0895ee795e2076d46e723d6 mes5/x86_64/lib64png3-1.2.31-2.2mdvmes5.x86_64.rpm
80a132428cc6638972263f7f92fef9da mes5/x86_64/lib64png-devel-1.2.31-2.2mdvmes5.x86_64.rpm
34bea6af1ef00ce04c3f842e6b5fc112 mes5/x86_64/lib64png-static-devel-1.2.31-2.2mdvmes5.x86_64.rpm
a89184a0f83c9bc3b295909a174e66d1 mes5/x86_64/libpng-source-1.2.31-2.2mdvmes5.x86_64.rpm
b2e5c72d1cc33ec0e53b36a590cafa35 mes5/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLqIx9mqjQ0CJFipgRAjwEAJ9esE4PRdBb1EyE3TaH1wOwo+7isgCgoj4l
HzHGWDCDi+o3C9YelfNCJ8s=
=l5qb
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus