|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Raphael Marichez (falco
gentoo.org)
Date: Thu May 31 2007 - 13:12:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200705-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libpng: Denial of Service
Date: May 31, 2007
Bugs: #178004
ID: 200705-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in libpng may allow a remote attacker to crash
applications that handle untrusted images.
Background
==========
libpng is a free ANSI C library used to process and manipulate PNG
images.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/libpng < 1.2.17 >= 1.2.17
Description
===========
Mats Palmgren fixed an error in file pngrutil.c in which the trans[]
array might be not allocated because of images with a bad tRNS chunk
CRC value.
Impact
======
A remote attacker could craft an image that when processed or viewed by
an application using libpng causes the application to terminate
abnormally.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
Please note that due to separate bugs in libpng 1.2.17, Gentoo does not
provide libpng-1.2.17 but libpng-1.2.18. All libpng users should
upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.18"
References
==========
[ 1 ] CVE-2007-2445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200705-24.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iQEVAwUBRl8QKjvRww8BFPxFAQKFngf+Lyan47klURyZYfFSoi5965u2sMpYCCTD
H5S3r1RxK8/XwaEAQkl6igGfeyrg0bnL90Kt4PzxSv1ja0qDByDVTMcinxgDV7Il
MmG6WCIA91L/OgKvxhFhDiAaiyfuCKZCcFrOanUsWBdPgHEUxpQXOGd/mPd2HiNn
ymK7ElQuFFiuq38ogNdE8J1UQhZYlVv2EpLSRdrRkErSdoFeHubnAn46gaeW4UwH
RNwdvBW9c5mFG6bGCwiR3DENX5FOYIWfT8DPMW7yaiy3NKCAVt2DF6AjhPAVL587
wDU2sBWgY2chyhlq8FdBE2wIVGs2UVrEvNMKWsgESf7dHyM3K4YtEQ==
=FyZN
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]