Fedora Legacy Test Update Notification: libpng

Jim Popovitch jimpop at yahoo.com
Sat Dec 18 20:02:10 UTC 2004 

Whats a good way to test this?  If suggesting pngtest, which version (I
would think that it would need to be one from the 1.2.8 tree, but not
100% sure)

-Jim P.

On Sat, 2004-12-18 at 14:18 -0500, Marc Deslauriers wrote:
> ---------------------------------------------------------------------
> Fedora Legacy Test Update Notification
> FEDORALEGACY-2004-1943
> Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1943
> 2004-12-18
> ---------------------------------------------------------------------
> 
> Name         : libpng
> 7.3 Versions : libpng-1.0.15-0.7x.1.legacy
> 9 Versions   : libpng-1.2.2-20.2.legacy, libpng10-1.0.15-0.9.1.legacy
> fc1 Versions : libpng-1.2.5-7.1.legacy, libpng10-1.0.15-7.1.legacy
> Summary      : A library of functions for manipulating PNG image format
>                 files.
> Description  :
> The libpng package contains a library of functions for creating and
> manipulating PNG (Portable Network Graphics) image format files. PNG
> is a bit-mapped graphics format similar to the GIF format. PNG was
> created to replace the GIF format, since GIF uses a patented data
> compression algorithm.
> 
> ---------------------------------------------------------------------
> Update Information:
> 
> Updated libpng packages that fix several issues are now available.
> 
> The libpng package contains a library of functions for creating and
> manipulating PNG (Portable Network Graphics) image format files.
> 
> During a source code audit, Chris Evans discovered several buffer
> overflows in libpng. An attacker could create a carefully crafted PNG
> file in such a way that it would cause an application linked with libpng
> to execute arbitrary code when the file was opened by a victim. The
> Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2004-0597 to these issues.
> 
> In addition, this audit discovered a potential NULL pointer dereference
> in libpng (CAN-2004-0598) and several integer overflow issues
> (CAN-2004-0599). An attacker could create a carefully crafted PNG file
> in such a way that it would cause an application linked with libpng to
> crash when the file was opened by the victim.
> 
> For users of Red Hat Linux 9 these packages also include a forgotten
> patch for the out of bounds memory access flaw (CAN-2002-1363 and
> CAN-2004-0768).
> 
> All users are advised to update to the updated libpng packages which
> contain backported security patches and are not vulnerable to these
> issues.
> 
> ---------------------------------------------------------------------
> Changelogs
> 
> rh73 libpng:
> * Mon Oct 25 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0.7x.1.legacy
> - Build for RH 7.x
> 
> * Fri Oct 22 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0
> - Sync RH 9 libpng10 and RH 7.x libpng package specs
> 
> * Thu Oct 21 2004 Charles R. Anderson <cra at wpi.edu> 1.0.14-0.7x.8.legacy
> - Use upstream security patch 1.2.5 that is recommended for use
>    with release 1.0.14.
> - Fix previous two changelog entry's formatting
> 
> * Thu Aug 12 2004 Dave Botsch <dwb7 at ccmr.cornell.edu>
> - Added legacy keyword to release
> 
> * Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.14-7
> - Replace the patches for individual security problems with the
>    cumulative patch issued by the png developers.
> 
> rh9 libpng:
> * Wed Aug 04 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
> 1.2.2-20.2.legacy
> - Replace the patches for individual security problems with the
>    cumulative patch issued by the png developers.
>    Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599.
> 
> * Fri Jun 18 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
> 1.2.2-20.1.legacy
> - Added better version of the patch for CAN-2002-1363
> 
> rh9 libpng10:
> * Mon Oct 25 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0.9.1.legacy
> - Build for RH 9
> 
> * Fri Oct 22 2004 Charles R. Anderson <cra at wpi.edu> 1.0.15-0
> - Sync RH 9 libpng10 and RH 7.x libpng package specs
> 
> * Thu Oct 21 2004 Charles R. Anderson <cra at wpi.edu> 1.0.14-0.7x.8.legacy
> - Use upstream security patch 1.2.5 that is recommended for use
>    with release 1.0.14.
> - Fix previous two changelog entry's formatting
> 
> * Thu Aug 12 2004 Dave Botsch <dwb7 at ccmr.cornell.edu>
> - Added legacy keyword to release
> 
> * Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.14-7
> - Replace the patches for individual security problems with the
>    cumulative patch issued by the png developers.
> 
> fc1 libpng:
> * Mon Nov 29 2004 Rob Myers <rob.myers at gtri.gatech.edu> 2:1.2.5-7.1.legacy
> - apply patch to limit dimensions (FL #1943)
> 
> * Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 2:1.2.5-7
> - Replace the patches for individual security problems with the
>    cumulative patch issued by the png developers.
> 
> fc1 libpng10:
> * Mon Nov 29 2004 Rob Myers <rob.myers at gtri.gatech.edu> 1.0.15-7.1.legacy
> - apply patch to limit dimensions (FL #1943)
> 
> * Fri Jul 23 2004 Matthias Clasen <mclasen at redhat.com> 1.0.15-7
> - Replace the patches for individual security problems with the
>    cumulative patch issued by the png developers.
> - Build for FC1
> 
> ---------------------------------------------------------------------
> This update can be downloaded from:
>    http://download.fedoralegacy.org/
> (sha1sums)
> 
> 7.3:
> 1c286b40e2ad76146a9a4480e9db26bc04aaadb7 
> redhat/7.3/updates-testing/i386/libpng-1.0.15-0.7x.1.legacy.i386.rpm
> 0dc1beac1fa548eeb4d59fab754c4b42e05ff541 
> redhat/7.3/updates-testing/i386/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm
> e291de4ff9cfdb558b38722a12481c3807f21983 
> redhat/7.3/updates-testing/SRPMS/libpng-1.0.15-0.7x.1.legacy.src.rpm
> 
> 9:
> d71f34a57a80386cdbe2bc9738f0e2b778c639e7 
> redhat/9/updates-testing/i386/libpng10-1.0.15-0.9.1.legacy.i386.rpm
> e89ca650e1839e4ad3155097cf6c70e239befe7c 
> redhat/9/updates-testing/i386/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm
> 90c20c26388d2a32fb84433bff3d3abcd7010425 
> redhat/9/updates-testing/i386/libpng-1.2.2-20.2.legacy.i386.rpm
> 360acd84d0b7e8bdf7e3358d3235bc67c28b1ba8 
> redhat/9/updates-testing/i386/libpng-devel-1.2.2-20.2.legacy.i386.rpm
> cdd4dd5844581c8aa9b16e9738f9529f77a9804d 
> redhat/9/updates-testing/SRPMS/libpng10-1.0.15-0.9.1.legacy.src.rpm
> aacfc366fee56b0307be0afe1682cdca4160b2b2 
> redhat/9/updates-testing/SRPMS/libpng-1.2.2-20.2.legacy.src.rpm
> 
> fc1:
> 0afca5b729899b1fedeed263ddd2ac7aa506eb5b 
> fedora/1/updates-testing/i386/libpng10-1.0.15-7.1.legacy.i386.rpm
> 6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160 
> fedora/1/updates-testing/i386/libpng10-devel-1.0.15-7.1.legacy.i386.rpm
> 8e28d39029ff88510d3899c2848273a76b6e71f4 
> fedora/1/updates-testing/i386/libpng-1.2.5-7.1.legacy.i386.rpm
> 405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb 
> fedora/1/updates-testing/i386/libpng-devel-1.2.5-7.1.legacy.i386.rpm
> 8c0ab7f220cfd7022f682772098d5efbd2811526 
> fedora/1/updates-testing/SRPMS/libpng10-1.0.15-7.1.legacy.src.rpm
> 6a6643b6e1f01e6f8540f36e9a7518c44826a783 
> fedora/1/updates-testing/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm
> 
> ---------------------------------------------------------------------
> 
> Please test and comment in bugzilla.
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-list

More information about the fedora-legacy-list mailing list