drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in libpng
Name: |
Mehrere Probleme in libpng |
|
ID: |
201408-06 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Do, 14. August 2014, 18:05 |
|
Referenzen: |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0333 |
|
Applikationen: |
libpng |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --t0lr1QQ93fHSAcSFpLmSEflit6qntEgoM Content-Type: text/plain; charset=UTF- Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201408-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: libpng: Multiple vulnerabilities Date: August 14, 2014 Bugs: #503014, #507378 ID: 201408-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Multiple vulnerabilities have been discovered in libpng which can allow a remote attacker to cause a Denial of Service condition.
Background ==========
libpng is a standard library used to process PNG (Portable Network Graphics) images. It is used by several programs, including web browsers and potentially server processes.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/libpng < 1.6.10 >= 1.6.10 < 1.3 *>= 1.5.18
Description ===========
The png_push_read_chunk function in pngpread.c in the progressive decoder enters an infinite loop, when it encounters a zero-length IDAT chunk. In addition certain integer overflows have been detected and corrected.
The 1.2 branch is not affected by these vulnerabilities.
Impact ======
A remote attacker could entice a user to open a specially crafted PNG file using an application linked against libpng, possibly resulting in Denial of Service.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All libpng users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.6.10"
Users with current installs in the 1.5 branch should also upgrade this using: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.5.18:1.5"
Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying these packages.
References ==========
[ 1 ] CVE-2013-7353 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7353 [ 2 ] CVE-2013-7354 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7354 [ 3 ] CVE-2014-0333 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0333
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201408-06.xml
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =======
Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--t0lr1QQ93fHSAcSFpLmSEflit6qntEgoM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iJwEAQECAAYFAlPsyB4ACgkQG9wOWsQutdY1CAP+JvUXiKRJygk8I5IO2ST3vQYJ kNPeObHP3pERaLhTUQrlR4I5DUccyS6CuxXXFYjTSIcLzNp1eJ95qQPeo5k0KqET d65Y2OOoCRH6ychs6tIWnVqlQV91g8ySC6qa0JYVE8WFT/s2Hh7QkModqEsWd3Q/ goCnga45YG5DYmQEYIQ= =KY90 -----END PGP SIGNATURE-----
--t0lr1QQ93fHSAcSFpLmSEflit6qntEgoM--
|
|
|
|