"A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. An attacker able to pass a malicious file to be processed by pngcheck could cause a temporary denial of service, posing a low risk to application availability."
From http://www.libpng.org/pub/png/apps/pngcheck.html: Vulnerability Warning pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the -s option is used). Both bugs are fixed in version 3.0.1, released on 24 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk. Vulnerability Warning pngcheck versions 2.4.0 and earlier have a number of buffer-overrun bugs, most (but not all) of which are related to the -f option ("force continued parsing after major errors"). As such, the option has been removed altogether in version 3.0.0 (which is the reason for the major-version bump), released on 12 December 2020. All known vulnerabilities are fixed in this version, but the code is pretty crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.
Vulnerability Warning pngcheck versions 3.0.1 and earlier have a buffer-overrun bug related to the MNG LOOP chunk (which gets noticed even in PNG files if the -s option is used). This bug is fixed in version 3.0.2, released on 31 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=531a61e9d885c091ea7ab0596f9367e2f40a15af commit 531a61e9d885c091ea7ab0596f9367e2f40a15af Author: Sam James <sam@gentoo.org> AuthorDate: 2021-02-01 19:23:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-01 22:14:04 +0000 media-gfx/pngcheck: (security) bump to 3.0.2 Bug: https://bugs.gentoo.org/759013 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> media-gfx/pngcheck/Manifest | 1 + media-gfx/pngcheck/pngcheck-3.0.2.ebuild | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+)
x86 done
amd64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db3577dba537c0ddde48f86fdce2d523acf14c4 commit 3db3577dba537c0ddde48f86fdce2d523acf14c4 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-02-22 03:10:00 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-02-22 03:10:00 +0000 media-gfx/pngcheck: security cleanup (drop <3.0.2) Bug: https://bugs.gentoo.org/759013 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: John Helmert III <ajak@gentoo.org> media-gfx/pngcheck/Manifest | 1 - media-gfx/pngcheck/pngcheck-2.3.0.ebuild | 30 ------------------------------ 2 files changed, 31 deletions(-)
Package list is empty or all packages have requested keywords.
