[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-legacy-announce
Subject: [FLSA-2005:1943] Updated libpng resolves security vulnerabilities
From: fedora-legacy-announce () redhat ! com
Date: 2005-02-10 1:40:45
Message-ID: 20050210014044.GA22176 () home ! thedom ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated libpng resolves security vulnerabilities
Advisory ID: FLSA:1943
Issue date: 2005-02-08
Product: Red Hat Linux
Fedora Core
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1943
https://bugzilla.fedora.us/show_bug.cgi?id=1550
CVE Names: CVE-2002-1363, CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599, CAN-2004-0768
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated libpng packages that fix security vulnerabilities are now
available.
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
3. Problem description:
During a source code audit, Chris Evans discovered several buffer overflows
in libpng. An attacker could create a carefully crafted PNG file in such a
way that it would cause an application linked with libpng to execute
arbitrary code when the file was opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0597 to these issues.
In addition, this audit discovered a potential NULL pointer dereference in
libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599).
An attacker could create a carefully crafted PNG file in such a way that
it would cause an application linked with libpng to crash when the file was
opened by the victim.
These patches also include a more complete fix for the out of bounds memory
access flaw (CVE-2002-1363), in which there was a buffer overrun while adding
filler bytes to 16-bit RGBA samples, and a similar patch (CAN-2004-0768) that
fixes a buffer overrun while adding filler bytes to 16-bit grayscale samples.
All users are advised to update to the updated libpng packages which
contain backported security patches and are not vulnerable to these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. This assumes that you have yum or
apt-get configured for obtaining Fedora Legacy content. Please visit
http://www.fedoralegacy.org/docs/ for directions on how to configure yum
and apt-get.
5. Bug IDs fixed:
http://bugzilla.fedora.us - 1943 - CAN-2004-0597to0599 libpng buffer overflows
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/libpng-1.0.15-0.7x.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libpng-1.0.15-0.7x.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/libpng-1.2.2-20.3.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/libpng10-1.0.15-0.9.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/libpng10-1.0.15-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libpng-1.2.2-20.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libpng-devel-1.2.2-20.3.legacy.i386.rpm
Fedora Core 1
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libpng10-1.0.15-7.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/libpng10-1.0.15-7.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libpng10-devel-1.0.15-7.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libpng-1.2.5-7.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libpng-devel-1.2.5-7.1.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------------
e291de4ff9cfdb558b38722a12481c3807f21983 \
redhat/7.3/updates/SRPMS/libpng-1.0.15-0.7x.1.legacy.src.rpm \
1c286b40e2ad76146a9a4480e9db26bc04aaadb7 \
redhat/7.3/updates/i386/libpng-1.0.15-0.7x.1.legacy.i386.rpm \
0dc1beac1fa548eeb4d59fab754c4b42e05ff541 \
redhat/7.3/updates/i386/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm
cdd4dd5844581c8aa9b16e9738f9529f77a9804d \
redhat/9/updates/SRPMS/libpng10-1.0.15-0.9.1.legacy.src.rpm \
be705f7823d379c5c99f88f4b2c2364e333379cb \
redhat/9/updates/SRPMS/libpng-1.2.2-20.3.legacy.src.rpm \
d71f34a57a80386cdbe2bc9738f0e2b778c639e7 \
redhat/9/updates/i386/libpng10-1.0.15-0.9.1.legacy.i386.rpm \
e89ca650e1839e4ad3155097cf6c70e239befe7c \
redhat/9/updates/i386/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm \
7cd0d3d36280449e6cb0fe1b4478d14701ec11c5 \
redhat/9/updates/i386/libpng-1.2.2-20.3.legacy.i386.rpm \
36ddbdaac4cc3ec1f9e23521a0ad1029714a80a2 \
redhat/9/updates/i386/libpng-devel-1.2.2-20.3.legacy.i386.rpm
8c0ab7f220cfd7022f682772098d5efbd2811526 \
fedora/1/updates/SRPMS/libpng10-1.0.15-7.1.legacy.src.rpm \
6a6643b6e1f01e6f8540f36e9a7518c44826a783 \
fedora/1/updates/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm \
0afca5b729899b1fedeed263ddd2ac7aa506eb5b \
fedora/1/updates/i386/libpng10-1.0.15-7.1.legacy.i386.rpm \
6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160 \
fedora/1/updates/i386/libpng10-devel-1.0.15-7.1.legacy.i386.rpm \
8e28d39029ff88510d3899c2848273a76b6e71f4 \
fedora/1/updates/i386/libpng-1.2.5-7.1.legacy.i386.rpm \
405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb \
fedora/1/updates/i386/libpng-devel-1.2.5-7.1.legacy.i386.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
https://rhn.redhat.com/errata/RHSA-2004-402.html
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
["signature.asc" (application/pgp-signature)]
--
Fedora-legacy-announce mailing list
Fedora-legacy-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-legacy-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic