[SECURITY] Fedora 9 Update: optipng-0.6.2-1.fc9
updates at fedoraproject.org
updates at fedoraproject.org
Thu Nov 13 03:37:11 UTC 2008
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-9633
2008-11-13 02:40:16
--------------------------------------------------------------------------------
Name : optipng
Product : Fedora 9
Version : 0.6.2
Release : 1.fc9
URL : http://optipng.sourceforge.net/
Summary : PNG optimizer and converter
Description :
OptiPNG is a PNG optimizer that recompresses image files to a smaller size,
without losing any information. This program also converts external formats
(BMP, GIF, PNM and TIFF) to optimized PNG, and performs PNG integrity checks
and corrections.
--------------------------------------------------------------------------------
Update Information:
The main reason for this update is a buffer overflow that is removed in this
version, that could be triggered by processing specially crafted bitmap images
(*.bmp). Aggregated upstream changelog: ============================== ++
Put back a speed optimization, accidentally removed in version 0.6, allowing
singleton trials (-o1) to be bypassed in certain conditions. !! Fixed an array
overflow in the BMP reader. !! Fixed the loss of private chunks under the -snip
option. + Produced a more concise on-screen output in the non-verbose mode.
(Thanks to Vincent Lefevre for the suggestion.) * Added a programming
interface to the optimization engine, in order to facilitate the development of
PNG-optimizing GUI apps and plugins. ! Fixed processing when image reduction
yields an output larger than the original. (Thanks to Michael Krishtopa for the
report.) ! Fixed behavior of -preserve. (Thanks to Bill Koch for the report.)
- Removed displaying of partial progress when abandoning IDATs under the -v
option. The percentages displayed were not very accurate. ++ Implemented
grayscale(alpha)-to-palette reductions. ++ Improved conversion of bKGD info
during RGB-to-palette reductions. (Thanks to Matthew Fearnley for the
contribution.) !! Fixed conversion of bKGD and tRNS during 16-to-8-bit
reductions. (Thanks to Matthew Fearnley for the report.) + Added support for
compressed BMP (incl. PNG-compressed BMP, you bet!) + Improved the speed of
reading raw PNM files. + Recognized PNG digital signatures (dSIG) and disabled
optimization in their presence, to preserve their integrity. + Allowed the
user to enforce the optimization of dSIG'ed files. + Recognized APNG animation
files and disabled reductions to preserve their integrity. + Added the -snip
option, to allow the user to "snip" one image out of a multi-image file, such as
animated GIF, multi-page TIFF, or APNG. (Thanks to [LaughingMan] for the
suggestion.) + Improved recovery of PNG files with incomplete IDAT. ! Fixed
behavior of -out and -dir when the input is already optimized. (Thanks to
Christian Davideck for the report.) * Provided more detailed image information
at the start of processing. * Provided a more detailed summary at the end of
processing, under the presence of the -v option and/or the occurence of
exceptional events.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 12 2008 Till Maas <opensource at till.name> - 0.6.2-1
- Update to new release to fix buffer overflow
- Red Hat Bugzilla #471206
* Thu Aug 28 2008 Ville Skyttä <ville.skytta at iki.fi> - 0.6.1-1
- 0.6.1.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #471206 - OptiPNG: Buffer overflow in BMP image handling reader
https://bugzilla.redhat.com/show_bug.cgi?id=471206
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update optipng' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list