-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.001 15-Jan-2003 ________________________________________________________________________ Package: png Vulnerability: buffer overflow vulnerability OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= png-1.2.5-20021003 >= png-1.2.5-20030115 OpenPKG 1.1 <= png-1.2.4-1.1.0 >= png-1.2.4-1.1.1 OpenPKG 1.0 <= png-1.2.0-1.0.0 >= png-1.2.0-1.0.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache emacs gd gd1 gif2png gnuplot graphviz imagemagick libwmf netpbm perl-gd perl-tk pstoedit webalizer wml OpenPKG 1.1 apache emacs gd gd1 gnuplot graphviz imagemagick perl-gd wml OpenPKG 1.0 apache gd perl-gd Description: According to a Debian security advisory based on hints from Glenn Randers-Pehrson [0], a buffer overflow vulnerability exists in the Portable Network Graphics (PNG) library libpng [1] in connection with 16-bit samples. The starting offsets for the loops are calculated incorrectly which may cause a buffer overrun beyond the beginning of the row buffer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1363 [2] to the problem. Please check whether you are affected by running "<prefix>/bin/rpm -qa png". If you have the "png" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get png-1.2.4-1.1.1.src.rpm ftp> bye $ <prefix>/bin/rpm -v --checksig png-1.2.4-1.1.1.src.rpm $ <prefix>/bin/rpm --rebuild png-1.2.4-1.1.1.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/png-1.2.4-1.1.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: [0] http://www.debian.org/security/2002/dsa-213 [1] http://www.libpng.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.0/UPD/png-1.2.0-1.0.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/png-1.2.4-1.1.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.0/UPD/ [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iD8DBQE+JYCpgHWT4GPEy58RAk3eAJ9dG8BbE6BNmvWA2GOZuRNWL5lLZQCghoWd P4HMyx1pxytvcak6xgBPRPM= =Ulpx -----END PGP SIGNATURE-----
