LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

July 2010

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA July 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: libpng on SL3.x, SL4.x, SL5.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Thu, 15 Jul 2010 10:17:19 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (85 lines)

Synopsis:	Important: libpng security update
Issue date:	2010-07-14
CVE Names:	CVE-2009-2042 CVE-2010-0205 CVE-2010-1205
                   CVE-2010-2249

A memory corruption flaw was found in the way applications, using the
libpng library and its progressive reading method, decoded certain PNG
images. An attacker could create a specially-crafted PNG image that, 
when opened, could cause an application using libpng to crash or, 
potentially, execute arbitrary code with the privileges of the user 
running the application. (CVE-2010-1205)

A denial of service flaw was found in the way applications using the 
libpng library decoded PNG images that have certain, highly compressed 
ancillary chunks. An attacker could create a specially-crafted PNG image 
that could cause an application using libpng to consume excessive 
amounts of memory and CPU time, and possibly crash. (CVE-2010-0205)

A memory leak flaw was found in the way applications using the libpng
library decoded PNG images that use the Physical Scale (sCAL) extension. 
An attacker could create a specially-crafted PNG image that could cause 
an application using libpng to exhaust all available memory and possibly 
crash or exit. (CVE-2010-2249)

A sensitive information disclosure flaw was found in the way 
applications using the libpng library processed 1-bit interlaced PNG 
images. An attacker could create a specially-crafted PNG image that 
could cause an application using libpng to disclose uninitialized 
memory. (CVE-2009-2042)

All running applications using libpng or libpng10 must be restarted for 
the update to take effect.

SL 3.0.x

       SRPMS:
libpng-1.2.2-30.src.rpm
libpng10-1.0.13-21.src.rpm
       i386:
libpng10-1.0.13-21.i386.rpm
libpng10-devel-1.0.13-21.i386.rpm
libpng-1.2.2-30.i386.rpm
libpng-devel-1.2.2-30.i386.rpm
       x86_64:
libpng10-1.0.13-21.i386.rpm
libpng10-1.0.13-21.x86_64.rpm
libpng10-devel-1.0.13-21.x86_64.rpm
libpng-1.2.2-30.i386.rpm
libpng-1.2.2-30.x86_64.rpm
libpng-devel-1.2.2-30.x86_64.rpm

SL 4.x

       SRPMS:
libpng-1.2.7-3.el4_8.3.src.rpm
libpng10-1.0.16-3.el4_8.4.src.rpm
       i386:
libpng10-1.0.16-3.el4_8.4.i386.rpm
libpng10-devel-1.0.16-3.el4_8.4.i386.rpm
libpng-1.2.7-3.el4_8.3.i386.rpm
libpng-devel-1.2.7-3.el4_8.3.i386.rpm
       x86_64:
libpng10-1.0.16-3.el4_8.4.i386.rpm
libpng10-1.0.16-3.el4_8.4.x86_64.rpm
libpng10-devel-1.0.16-3.el4_8.4.x86_64.rpm
libpng-1.2.7-3.el4_8.3.i386.rpm
libpng-1.2.7-3.el4_8.3.x86_64.rpm
libpng-devel-1.2.7-3.el4_8.3.x86_64.rpm

SL 5.x

       SRPMS:
libpng-1.2.10-7.1.el5_5.3.src.rpm
       i386:
libpng-1.2.10-7.1.el5_5.3.i386.rpm
libpng-devel-1.2.10-7.1.el5_5.3.i386.rpm
       x86_64:
libpng-1.2.10-7.1.el5_5.3.i386.rpm
libpng-1.2.10-7.1.el5_5.3.x86_64.rpm
libpng-devel-1.2.10-7.1.el5_5.3.i386.rpm
libpng-devel-1.2.10-7.1.el5_5.3.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV