A vulnerability has been reported in libpng, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error when processing 1-bit interlaced images. This can be exploited to disclose uninitialised memory via specially crafted images having widths that are not divisible by 8.
The vulnerability is reported in versions prior to 1.2.37.
Update to version 1.2.37.
base-system: Can we go stable with 1.2.37?
no one has complained about it and usually broken libpng versions get noticed pretty quickly
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable on alpha.
Stable for HPPA.
libpng before 1.2.37 does not properly parse 1-bit interlaced images
with width values that are not divisible by 8, which causes libpng to
include uninitialized bits in certain rows of a PNG file and might
allow remote attackers to read portions of sensitive memory via
"out-of-bounds pixels" in the file.
GLSA Voting: NO.
I'd say YES.
... and drafted.
GLSA 200906-01, thanks everyone.