From secunia security advisory at $URL:
The vulnerability is caused due to an off-by-one error in the "png_formatted_warning()" function (pngerror.c) and can be exploited to corrupt stack-based memory.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in versions 1.5.4 through 1.5.7.
Update to version 1.5.8.
(In reply to comment #0)
> Update to version 1.5.8.
In portage since yesterday. Can be stabilized.
Arches, please test and mark stable:
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
ppc64 stable, all arches done
added to existing glsa request
This issue was resolved and addressed in
GLSA 201206-15 at http://security.gentoo.org/glsa/glsa-201206-15.xml
by GLSA coordinator Sean Amoss (ackle).
Off-by-one error in the png_formatted_warning function in pngerror.c in
libpng 1.5.4 through 1.5.7 might allow remote attackers to cause a denial of
service (application crash) and possibly execute arbitrary code via
unspecified vectors, which trigger a stack-based buffer overflow.