[SECURITY] Fedora 7 Update: libpng10-1.0.29-1.fc7

updates at fedoraproject.org updates at fedoraproject.org
Wed Oct 24 07:17:45 UTC 2007


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-2521
2007-10-24 07:17:43.345038
--------------------------------------------------------------------------------

Name        : libpng10
Product     : Fedora 7
Version     : 1.0.29
Release     : 1.fc7
URL         : http://www.libpng.org/pub/png/libpng.html
Summary     : Old version of libpng, needed to run old binaries
Description :
The libpng10 package contains an old version of libpng, a library of functions
for creating and manipulating PNG (Portable Network Graphics) image format
files.

This package is needed if you want to run binaries that were linked dynamically
with libpng 1.0.x.

--------------------------------------------------------------------------------
Update Information:

Certain chunk handlers in libpng10 before 1.0.29 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.

http://secunia.com/advisories/27093
http://www.frsirt.com/english/advisories/2007/3390
http://sourceforge.net/mailarchive/forum.php?thread_name=3.0.6.32.20071004082318.012a7628%40mail.comcast.net&forum_name=png-mng-implement

This update to 1.0.29 addresses these issues.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct  5 2007 Paul Howarth <paul at city-fan.org> 1.0.29-1
- update to 1.0.29
* Tue Sep 11 2007 Paul Howarth <paul at city-fan.org> 1.0.28-1
- update to 1.0.28
* Mon Aug 20 2007 Paul Howarth <paul at city-fan.org> 1.0.27-1
- update to 1.0.27
- add new file ANNOUNCE, which lists changes since last release
- use shortname "zlib" for the license tag (package is zlib/libpng licensed)
- drop pkgconf patch, which should no longer be needed
* Sun May 20 2007 Paul Howarth <paul at city-fan.org> 1.0.26-1
- update to 1.0.26 to address DoS issue (#240398, CVE-2007-2445)
- update soname patch
- libpng.txt now has a versioned filename
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #327791 - CVE-2007-5269 libpng DoS via multiple out-of-bounds reads
        https://bugzilla.redhat.com/show_bug.cgi?id=327791
  [ 2 ] CVE-2007-5269
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
--------------------------------------------------------------------------------
Updated packages:

0dddd75819b6bd2f6a2e2104fe82e0acd94fd180 libpng10-devel-1.0.29-1.fc7.ppc64.rpm
6079f9c55085f62bf2e1bc5ad3ac1025de216282 libpng10-debuginfo-1.0.29-1.fc7.ppc64.rpm
0b146e9285af5905b743e5524c5edb441503b42e libpng10-1.0.29-1.fc7.ppc64.rpm
842e1efaa6ca4a4b783e40f9ae72623f84490cd7 libpng10-debuginfo-1.0.29-1.fc7.i386.rpm
256ad47b46257de67897cf36514ba0984d71efa4 libpng10-1.0.29-1.fc7.i386.rpm
2ab451e2117e5e017b91c6a79a86e97f41b3c500 libpng10-devel-1.0.29-1.fc7.i386.rpm
685bd2898df5fd32965cbeeb65291cbdeba4a68e libpng10-devel-1.0.29-1.fc7.x86_64.rpm
862e399944ab8d60d6490e7169555f435e3a04f3 libpng10-1.0.29-1.fc7.x86_64.rpm
0e586e948f42fc948d3fd737fb44b2d09ffe294e libpng10-debuginfo-1.0.29-1.fc7.x86_64.rpm
e0599552087d9bf7a5a78aa64f00b767048defc8 libpng10-devel-1.0.29-1.fc7.ppc.rpm
7f91839a840080d1d1b31863e1bb889e37256ebc libpng10-1.0.29-1.fc7.ppc.rpm
4ef0e0830875ecea2b206eab2ea629bc126012f1 libpng10-debuginfo-1.0.29-1.fc7.ppc.rpm
65558acbcd59927d15d04b100e4e68594422739d libpng10-1.0.29-1.fc7.src.rpm

This update can be installed with the "yum" update program.  Use 
su -c 'yum update libpng10' 
at the command line.  For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------




More information about the package-announce mailing list