First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 272970
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Alex Legler <a3li@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 272970 depends on: Show dependency tree
Bug 272970 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2009-06-06 20:12 0000 
From Secunia:

A vulnerability has been reported in libpng, which can be exploited by
malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error when processing 1-bit interlaced
images. This can be exploited to disclose uninitialised memory via specially
crafted images having widths that are not divisible by 8.

The vulnerability is reported in versions prior to 1.2.37.

Solution:
Update to version 1.2.37.

------- Comment #1 From Alex Legler 2009-06-06 20:13:15 0000 ------- 
base-system: Can we go stable with 1.2.37?

------- Comment #2 From SpanKY 2009-06-06 21:27:47 0000 ------- 
no one has complained about it and usually broken libpng versions get noticed
pretty quickly

------- Comment #3 From Robert Buchholz 2009-06-07 12:59:50 0000 ------- 
Arches, please test and mark stable:
=media-libs/libpng-1.2.37
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

------- Comment #4 From Tobias Klausmann 2009-06-07 16:22:27 0000 ------- 
Stable on alpha.

------- Comment #5 From Jeroen Roovers 2009-06-07 18:59:31 0000 ------- 
Stable for HPPA.

------- Comment #6 From Christian Faulhammer 2009-06-08 20:28:35 0000 ------- 
x86 stable

------- Comment #7 From Raúl Porcel 2009-06-10 14:16:31 0000 ------- 
arm/ia64/m68k/s390/sh/sparc stable

------- Comment #8 From Markus Meier 2009-06-10 19:06:07 0000 ------- 
amd64 stable

------- Comment #9 From Alex Legler 2009-06-13 09:20:18 0000 ------- 
CVE-2009-2042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2042):
  libpng before 1.2.37 does not properly parse 1-bit interlaced images
  with width values that are not divisible by 8, which causes libpng to
  include uninitialized bits in certain rows of a PNG file and might
  allow remote attackers to read portions of sensitive memory via
  "out-of-bounds pixels" in the file.

------- Comment #10 From Brent Baude 2009-06-16 19:21:18 0000 ------- 
ppc64 done

------- Comment #11 From Brent Baude 2009-06-21 14:07:57 0000 ------- 
ppc done

------- Comment #12 From Alex Legler 2009-06-21 14:15:48 0000 ------- 
GLSA Voting: NO.

------- Comment #13 From Tobias Heinlein 2009-06-21 18:41:46 0000 ------- 
I'd say YES.

------- Comment #14 From Tobias Heinlein 2009-06-21 18:42:03 0000 ------- 
... and drafted.

------- Comment #15 From Tobias Heinlein 2009-06-27 23:58:16 0000 ------- 
GLSA 200906-01, thanks everyone.
First Last Prev Next    No search results available      Search page      Enter new bug