'Re: [oss-security] CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG imag'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG imag
From:       Marcus Meissner <meissner () suse ! de>
Date:       2010-06-30 15:22:40
Message-ID: 20100630152240.GH1474 () suse ! de
[Download RAW message or body]

On Mon, Jun 28, 2010 at 04:26:06PM -0400, Josh Bressers wrote:
> 
> ----- "Jan Lieskovsky" <jlieskov@redhat.com> wrote:
> 
> > Hi Steve, vendors,
> > 
> >    libpng upstream has released latest v1.4.3 and v1.2.44 versions,
> > addressing two
> > security issues:
> > [a], out-of-bounds write to memory -- this already got a CVE id of
> > "CVE-2010-1205",
> > [b], memory-leak bug, involving images with malformed sCAL chunks,
> > which could
> >     lead to an application crash.
> > 
> > References:
> >    [1] http://www.libpng.org/pub/png/libpng.html
> >    [2] https://bugzilla.redhat.com/show_bug.cgi?id=608644
> > 
> > Steve, could you allocate a CVE id for the [b] issue?
> > 
> 
> Please use CVE-2010-2249 for issue [b].

oss-sec, png-mng-implement ... do you have testimages or a reproducer for the sCAL issue?

It would be helpful for our QA :/

Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic