Whats a good way to test this? If suggesting pngtest, which version (I would think that it would need to be one from the 1.2.8 tree, but not 100% sure) -Jim P. On Sat, 2004-12-18 at 14:18 -0500, Marc Deslauriers wrote: > --------------------------------------------------------------------- > Fedora Legacy Test Update Notification > FEDORALEGACY-2004-1943 > Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1943 > 2004-12-18 > --------------------------------------------------------------------- > > Name : libpng > 7.3 Versions : libpng-1.0.15-0.7x.1.legacy > 9 Versions : libpng-1.2.2-20.2.legacy, libpng10-1.0.15-0.9.1.legacy > fc1 Versions : libpng-1.2.5-7.1.legacy, libpng10-1.0.15-7.1.legacy > Summary : A library of functions for manipulating PNG image format > files. > Description : > The libpng package contains a library of functions for creating and > manipulating PNG (Portable Network Graphics) image format files. PNG > is a bit-mapped graphics format similar to the GIF format. PNG was > created to replace the GIF format, since GIF uses a patented data > compression algorithm. > > --------------------------------------------------------------------- > Update Information: > > Updated libpng packages that fix several issues are now available. > > The libpng package contains a library of functions for creating and > manipulating PNG (Portable Network Graphics) image format files. > > During a source code audit, Chris Evans discovered several buffer > overflows in libpng. An attacker could create a carefully crafted PNG > file in such a way that it would cause an application linked with libpng > to execute arbitrary code when the file was opened by a victim. The > Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2004-0597 to these issues. > > In addition, this audit discovered a potential NULL pointer dereference > in libpng (CAN-2004-0598) and several integer overflow issues > (CAN-2004-0599). An attacker could create a carefully crafted PNG file > in such a way that it would cause an application linked with libpng to > crash when the file was opened by the victim. > > For users of Red Hat Linux 9 these packages also include a forgotten > patch for the out of bounds memory access flaw (CAN-2002-1363 and > CAN-2004-0768). > > All users are advised to update to the updated libpng packages which > contain backported security patches and are not vulnerable to these > issues. > > --------------------------------------------------------------------- > Changelogs > > rh73 libpng: > * Mon Oct 25 2004 Charles R. Anderson <cra@xxxxxxx> 1.0.15-0.7x.1.legacy > - Build for RH 7.x > > * Fri Oct 22 2004 Charles R. Anderson <cra@xxxxxxx> 1.0.15-0 > - Sync RH 9 libpng10 and RH 7.x libpng package specs > > * Thu Oct 21 2004 Charles R. Anderson <cra@xxxxxxx> 1.0.14-0.7x.8.legacy > - Use upstream security patch 1.2.5 that is recommended for use > with release 1.0.14. > - Fix previous two changelog entry's formatting > > * Thu Aug 12 2004 Dave Botsch <dwb7@xxxxxxxxxxxxxxxx> > - Added legacy keyword to release > > * Fri Jul 23 2004 Matthias Clasen <mclasen@xxxxxxxxxx> 1.0.14-7 > - Replace the patches for individual security problems with the > cumulative patch issued by the png developers. > > rh9 libpng: > * Wed Aug 04 2004 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> > 1.2.2-20.2.legacy > - Replace the patches for individual security problems with the > cumulative patch issued by the png developers. > Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599. > > * Fri Jun 18 2004 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> > 1.2.2-20.1.legacy > - Added better version of the patch for CAN-2002-1363 > > rh9 libpng10: > * Mon Oct 25 2004 Charles R. Anderson <cra@xxxxxxx> 1.0.15-0.9.1.legacy > - Build for RH 9 > > * Fri Oct 22 2004 Charles R. Anderson <cra@xxxxxxx> 1.0.15-0 > - Sync RH 9 libpng10 and RH 7.x libpng package specs > > * Thu Oct 21 2004 Charles R. Anderson <cra@xxxxxxx> 1.0.14-0.7x.8.legacy > - Use upstream security patch 1.2.5 that is recommended for use > with release 1.0.14. > - Fix previous two changelog entry's formatting > > * Thu Aug 12 2004 Dave Botsch <dwb7@xxxxxxxxxxxxxxxx> > - Added legacy keyword to release > > * Fri Jul 23 2004 Matthias Clasen <mclasen@xxxxxxxxxx> 1.0.14-7 > - Replace the patches for individual security problems with the > cumulative patch issued by the png developers. > > fc1 libpng: > * Mon Nov 29 2004 Rob Myers <rob.myers@xxxxxxxxxxxxxxx> 2:1.2.5-7.1.legacy > - apply patch to limit dimensions (FL #1943) > > * Fri Jul 23 2004 Matthias Clasen <mclasen@xxxxxxxxxx> 2:1.2.5-7 > - Replace the patches for individual security problems with the > cumulative patch issued by the png developers. > > fc1 libpng10: > * Mon Nov 29 2004 Rob Myers <rob.myers@xxxxxxxxxxxxxxx> 1.0.15-7.1.legacy > - apply patch to limit dimensions (FL #1943) > > * Fri Jul 23 2004 Matthias Clasen <mclasen@xxxxxxxxxx> 1.0.15-7 > - Replace the patches for individual security problems with the > cumulative patch issued by the png developers. > - Build for FC1 > > --------------------------------------------------------------------- > This update can be downloaded from: > http://download.fedoralegacy.org/ > (sha1sums) > > 7.3: > 1c286b40e2ad76146a9a4480e9db26bc04aaadb7 > redhat/7.3/updates-testing/i386/libpng-1.0.15-0.7x.1.legacy.i386.rpm > 0dc1beac1fa548eeb4d59fab754c4b42e05ff541 > redhat/7.3/updates-testing/i386/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm > e291de4ff9cfdb558b38722a12481c3807f21983 > redhat/7.3/updates-testing/SRPMS/libpng-1.0.15-0.7x.1.legacy.src.rpm > > 9: > d71f34a57a80386cdbe2bc9738f0e2b778c639e7 > redhat/9/updates-testing/i386/libpng10-1.0.15-0.9.1.legacy.i386.rpm > e89ca650e1839e4ad3155097cf6c70e239befe7c > redhat/9/updates-testing/i386/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm > 90c20c26388d2a32fb84433bff3d3abcd7010425 > redhat/9/updates-testing/i386/libpng-1.2.2-20.2.legacy.i386.rpm > 360acd84d0b7e8bdf7e3358d3235bc67c28b1ba8 > redhat/9/updates-testing/i386/libpng-devel-1.2.2-20.2.legacy.i386.rpm > cdd4dd5844581c8aa9b16e9738f9529f77a9804d > redhat/9/updates-testing/SRPMS/libpng10-1.0.15-0.9.1.legacy.src.rpm > aacfc366fee56b0307be0afe1682cdca4160b2b2 > redhat/9/updates-testing/SRPMS/libpng-1.2.2-20.2.legacy.src.rpm > > fc1: > 0afca5b729899b1fedeed263ddd2ac7aa506eb5b > fedora/1/updates-testing/i386/libpng10-1.0.15-7.1.legacy.i386.rpm > 6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160 > fedora/1/updates-testing/i386/libpng10-devel-1.0.15-7.1.legacy.i386.rpm > 8e28d39029ff88510d3899c2848273a76b6e71f4 > fedora/1/updates-testing/i386/libpng-1.2.5-7.1.legacy.i386.rpm > 405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb > fedora/1/updates-testing/i386/libpng-devel-1.2.5-7.1.legacy.i386.rpm > 8c0ab7f220cfd7022f682772098d5efbd2811526 > fedora/1/updates-testing/SRPMS/libpng10-1.0.15-7.1.legacy.src.rpm > 6a6643b6e1f01e6f8540f36e9a7518c44826a783 > fedora/1/updates-testing/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm > > --------------------------------------------------------------------- > > Please test and comment in bugzilla. > -- > > fedora-legacy-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-legacy-list -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
