Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in libpng
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in libpng
ID: MDVSA-2010:063
Distribution: Mandriva
Plattformen: Mandriva Multi Network Firewall 2.0, Mandriva Corporate 4.0, Mandriva 2008.0
Datum: Di, 23. März 2010, 08:41
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
Applikationen: libpng

Originalnachricht

This is a multi-part message in MIME format...

------------=_1269300913-24326-6186


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:063
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libpng
Date : March 22, 2010
Affected: 2008.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in libpng:

libpng before 1.2.37 does not properly parse 1-bit interlaced images
with width values that are not divisible by 8, which causes libpng
to include uninitialized bits in certain rows of a PNG file and
might allow remote attackers to read portions of sensitive memory
via out-of-bounds pixels in the file (CVE-2009-2042).

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before
1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly
handle compressed ancillary-chunk data that has a disproportionately
large uncompressed representation, which allows remote attackers to
cause a denial of service (memory and CPU consumption, and application
hang) via a crafted PNG file, as demonstrated by use of the deflate
compression method on data composed of many occurrences of the same
character, related to a decompression bomb attack (CVE-2010-0205).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
a490385a7af091254460923d5b370281
2008.0/i586/libpng3-1.2.22-0.4mdv2008.0.i586.rpm
0a24bbf70a2d0acfe67872e0c9d8f709
2008.0/i586/libpng-devel-1.2.22-0.4mdv2008.0.i586.rpm
4606a9e929c6051e122b70ebe2e7bad4
2008.0/i586/libpng-source-1.2.22-0.4mdv2008.0.i586.rpm
694d03d2e8d3bcd07fc0684fd8a6b0c9
2008.0/i586/libpng-static-devel-1.2.22-0.4mdv2008.0.i586.rpm
da310f9645a322af4d2a97b9cf4592eb
2008.0/SRPMS/libpng-1.2.22-0.4mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
4502fd5d882a47d409bfd0e0bc154c88
2008.0/x86_64/lib64png3-1.2.22-0.4mdv2008.0.x86_64.rpm
91b539a7a3a87d57c1ee1e33921aa787
2008.0/x86_64/lib64png-devel-1.2.22-0.4mdv2008.0.x86_64.rpm
f0e202692b44e5ebd09168e307a1ad7b
2008.0/x86_64/lib64png-static-devel-1.2.22-0.4mdv2008.0.x86_64.rpm
a5c685aa7aac15155af58211a576e08c
2008.0/x86_64/libpng-source-1.2.22-0.4mdv2008.0.x86_64.rpm
da310f9645a322af4d2a97b9cf4592eb
2008.0/SRPMS/libpng-1.2.22-0.4mdv2008.0.src.rpm

Corporate 4.0:
e224d113e77e285d85ff11c55dae9e50
corporate/4.0/i586/libpng3-1.2.8-1.7.20060mlcs4.i586.rpm
c0d62f11277442b0d7a909d0c1c53249
corporate/4.0/i586/libpng3-devel-1.2.8-1.7.20060mlcs4.i586.rpm
8ea7ca8ab7bbed8f2683698a3f493d56
corporate/4.0/i586/libpng3-static-devel-1.2.8-1.7.20060mlcs4.i586.rpm
76f958bdba2876ea2a36f42407aaa9dc
corporate/4.0/SRPMS/libpng-1.2.8-1.7.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
a19c0839e78e5d16cc159621ff8e3786
corporate/4.0/x86_64/lib64png3-1.2.8-1.7.20060mlcs4.x86_64.rpm
68d1b5c5174f6de15eb1d68735e45e0f
corporate/4.0/x86_64/lib64png3-devel-1.2.8-1.7.20060mlcs4.x86_64.rpm
d477b9271f6beba77435121f09dff09d
corporate/4.0/x86_64/lib64png3-static-devel-1.2.8-1.7.20060mlcs4.x86_64.rpm
76f958bdba2876ea2a36f42407aaa9dc
corporate/4.0/SRPMS/libpng-1.2.8-1.7.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
5fe2f05d45ebaac79c58e47429dedceb
mnf/2.0/i586/libpng3-1.2.5-10.12.M20mdk.i586.rpm
0ebace3f9758ea06e6471317f95b253f
mnf/2.0/i586/libpng3-devel-1.2.5-10.12.M20mdk.i586.rpm
3aa8ba999455eb190979ec7f6f22421a
mnf/2.0/i586/libpng3-static-devel-1.2.5-10.12.M20mdk.i586.rpm
1ceca3083b90247ac1d1b68b4bf08f33
mnf/2.0/SRPMS/libpng-1.2.5-10.12.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLp88BmqjQ0CJFipgRAl2vAKCNCYs8gf3lw0tqgRMM6WC87P6roQCfZMU2
M2vZq2Q3ZYYDuZssm6LfxaI=
=dFcH
-----END PGP SIGNATURE-----


------------=_1269300913-24326-6186
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1269300913-24326-6186--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung