[SECURITY] Fedora 9 Update: optipng-0.6.2-1.fc9

updates at fedoraproject.org updates at fedoraproject.org
Thu Nov 13 03:37:11 UTC 2008


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-9633
2008-11-13 02:40:16
--------------------------------------------------------------------------------

Name        : optipng
Product     : Fedora 9
Version     : 0.6.2
Release     : 1.fc9
URL         : http://optipng.sourceforge.net/
Summary     : PNG optimizer and converter
Description :
OptiPNG is a PNG optimizer that recompresses image files to a smaller size,
without losing any information. This program also converts external formats
(BMP, GIF, PNM and TIFF) to optimized PNG, and performs PNG integrity checks
and corrections.

--------------------------------------------------------------------------------
Update Information:

The main reason for this update is a buffer overflow that is removed in this
version, that could be triggered by processing specially crafted bitmap images
(*.bmp).    Aggregated upstream changelog:  ==============================    ++
Put back a speed optimization, accidentally removed in version 0.6, allowing
singleton trials (-o1) to be bypassed in certain conditions.  !! Fixed an array
overflow in the BMP reader.  !! Fixed the loss of private chunks under the -snip
option.   + Produced a more concise on-screen output in the non-verbose mode.
(Thanks to Vincent Lefevre for the suggestion.)   * Added a programming
interface to the optimization engine, in order to facilitate the development of
PNG-optimizing GUI apps and plugins.   ! Fixed processing when image reduction
yields an output larger than the original.  (Thanks to Michael Krishtopa for the
report.)   ! Fixed behavior of -preserve.  (Thanks to Bill Koch for the report.)
- Removed displaying of partial progress when abandoning IDATs under the -v
option.  The percentages displayed were not very accurate.  ++ Implemented
grayscale(alpha)-to-palette reductions.  ++ Improved conversion of bKGD info
during RGB-to-palette reductions.  (Thanks to Matthew Fearnley for the
contribution.)  !! Fixed conversion of bKGD and tRNS during 16-to-8-bit
reductions.  (Thanks to Matthew Fearnley for the report.)   + Added support for
compressed BMP (incl. PNG-compressed BMP, you bet!)   + Improved the speed of
reading raw PNM files.   + Recognized PNG digital signatures (dSIG) and disabled
optimization in their presence, to preserve their integrity.   + Allowed the
user to enforce the optimization of dSIG'ed files.   + Recognized APNG animation
files and disabled reductions to preserve their integrity.   + Added the -snip
option, to allow the user to "snip" one image out of a multi-image file, such as
animated GIF, multi-page TIFF, or APNG.  (Thanks to [LaughingMan] for the
suggestion.)   + Improved recovery of PNG files with incomplete IDAT.   ! Fixed
behavior of -out and -dir when the input is already optimized.  (Thanks to
Christian Davideck for the report.)   * Provided more detailed image information
at the start of processing.   * Provided a more detailed summary at the end of
processing, under the presence of the -v option and/or the occurence of
exceptional events.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 12 2008 Till Maas <opensource at till.name> - 0.6.2-1
- Update to new release to fix buffer overflow
- Red Hat Bugzilla #471206
* Thu Aug 28 2008 Ville Skyttä <ville.skytta at iki.fi> - 0.6.1-1
- 0.6.1.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #471206 - OptiPNG: Buffer overflow in BMP image handling reader
        https://bugzilla.redhat.com/show_bug.cgi?id=471206
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update optipng' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the package-announce mailing list