From Secunia: A vulnerability has been reported in libpng, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error when processing 1-bit interlaced images. This can be exploited to disclose uninitialised memory via specially crafted images having widths that are not divisible by 8. The vulnerability is reported in versions prior to 1.2.37. Solution: Update to version 1.2.37.
base-system: Can we go stable with 1.2.37?
no one has complained about it and usually broken libpng versions get noticed pretty quickly
Arches, please test and mark stable: =media-libs/libpng-1.2.37 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable on alpha.
Stable for HPPA.
x86 stable
arm/ia64/m68k/s390/sh/sparc stable
amd64 stable
CVE-2009-2042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2042): libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file.
ppc64 done
ppc done
GLSA Voting: NO.
I'd say YES.
... and drafted.
GLSA 200906-01, thanks everyone.