|Summary:||<media-libs/libpng-1.2.37: Information disclosure (CVE-2009-2042)|
|Product:||Gentoo Security||Reporter:||Alex Legler (RETIRED) <a3li>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Alex Legler (RETIRED) 2009-06-06 20:12:44 UTC
From Secunia: A vulnerability has been reported in libpng, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error when processing 1-bit interlaced images. This can be exploited to disclose uninitialised memory via specially crafted images having widths that are not divisible by 8. The vulnerability is reported in versions prior to 1.2.37. Solution: Update to version 1.2.37.
Comment 1 Alex Legler (RETIRED) 2009-06-06 20:13:15 UTC
base-system: Can we go stable with 1.2.37?
Comment 2 SpanKY 2009-06-06 21:27:47 UTC
no one has complained about it and usually broken libpng versions get noticed pretty quickly
Comment 3 Robert Buchholz (RETIRED) 2009-06-07 12:59:50 UTC
Arches, please test and mark stable: =media-libs/libpng-1.2.37 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Tobias Klausmann 2009-06-07 16:22:27 UTC
Stable on alpha.
Comment 5 Jeroen Roovers (RETIRED) 2009-06-07 18:59:31 UTC
Stable for HPPA.
Comment 6 Christian Faulhammer (RETIRED) 2009-06-08 20:28:35 UTC
Comment 7 Raúl Porcel (RETIRED) 2009-06-10 14:16:31 UTC
Comment 8 Markus Meier 2009-06-10 19:06:07 UTC
Comment 9 Alex Legler (RETIRED) 2009-06-13 09:20:18 UTC
CVE-2009-2042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2042): libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file.
Comment 10 Brent Baude (RETIRED) 2009-06-16 19:21:18 UTC
Comment 11 Brent Baude (RETIRED) 2009-06-21 14:07:57 UTC
Comment 12 Alex Legler (RETIRED) 2009-06-21 14:15:48 UTC
GLSA Voting: NO.
Comment 13 Tobias Heinlein (RETIRED) 2009-06-21 18:41:46 UTC
I'd say YES.
Comment 14 Tobias Heinlein (RETIRED) 2009-06-21 18:42:03 UTC
... and drafted.
Comment 15 Tobias Heinlein (RETIRED) 2009-06-27 23:58:16 UTC
GLSA 200906-01, thanks everyone.