Summary: | <media-libs/libpng-1.2.43: Ancillary Chunks "Decompression Bomb" Denial of Service (CVE-2010-0205) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, jaak |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/38774/ | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 305095 | ||
Bug Blocks: |
Description
Tobias Heinlein (RETIRED)
2010-03-03 16:27:18 UTC
base-system, please provide an updated ebuild. CVE-2010-0205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0205): The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. libpng 1.2.43 now in the tree Adding tracker bug for >=media-libs/libpng-1.4.0 problems. Only 308617 is left there, can someone fix that or might it still be OK to go stable with 1.2.43? Please advice. amd64 and x86 should stabilize this for binary packages for use with libpng-1.4: media-libs/libpng-1.2.43-r1 -> amd64 x86 everyone should mark this stable, normal libpng ebuild, media-libs/libpng-1.2.43-r2 -> alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ppc64 done amd64 stable Stable for HPPA. Marked ppc stable. Should the 1.2.43-r2 ebuild be slotted for "1.2" instead of "0" ? alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable GLSA with #324153 GLSA 201010-01 |