** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Libpng-1.2.34 ADVISORY 19 February 2009 A vulnerability has been reported in libpng-1.2.34. The bug is of the form malloc an array of N elements for (i=0; i<N; i++) malloc element[i]; If the application runs out of memory during the loop, some of the element pointers will be uninitialized. Libpng will then longjmp to a cleanup process that attempts to free all of the elements in the array, including the uninitialized ones. This behavior could be forced by a malevolent input. There are 5 instances of the bug in libpng-1.2.34. One is in the "png_read_png()". Only applications that explicitly call png_read_png() are vulnerable. Another is in the handler for the pCAL chunk. Any application that does not disable pCAL chunk handling via a call to "set_keep_unknown_chunks()" is vulnerable. Three others are in code that sets up 16-bit gamma tables. All applications are probably vulnerable to these, even if they use png_set_strip_16() to reduce 16-bit input to 8-bits, because of the order in which libpng does its transformations. In fact, all versions since libpng-0.89c contain at least the 16-bit gamma-table bugs, and all versions since libpng-1.0.6 contain the png_read_png() bug. The pCAL decoding bug has existed since libpng-0.96. The PNG group recommends upgrading to libpng-1.0.43 or libpng-1.2.35. For persons wishing to continue using older versions, we are providing a patch along with the new libpng distributions that will work against versions 1.0.19 through 1.0.42 and 1.2.9 through 1.2.34. Anyone wishing to use still older libpng versions will have to modify the patch slightly.
This is already out. vapier, you're fast as hell again. OK for fast-tracked stabling today, or do you want to give it one more test run?
i'm not going to do any extended testing ... might as well let the arch testers give it a spin
Arches, please test and mark stable: =media-libs/libpng-1.2.35 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
ppc64 done
Stable on alpha.
arm/ia64/s390/sh/sparc/x86 stable
Did anyone check, if optipng (includes libpng 1.2.33) is affected as well?
ppc stable
amd64 stable
GLSA together with bug 244808.
GLSA 200903-28