From ${URL} : libpng 1.6.8 was released [1] and notes the following fix: Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette(). This is CVE-2013-6954 and VU#650142. The git commit to fix is available [3]. [1] http://sourceforge.net/projects/libpng/files/libpng16/1.6.8/Gnupg/ [2] http://www.kb.cert.org/vuls/id/650142 [3] http://sourceforge.net/p/libpng/code/ci/1faa6ff32c648acfe3cf30a58d31d7aebc24968c @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
1.6.8 is now in Portage with a fix to this, but since this never affected the 1.5.x series which is the current stable, there is no stabilization required at this time so I believe this should be closed as resolved, fixed now?
(In reply to Samuli Suominen from comment #1) > so I believe this should be closed as resolved, fixed now? Yes, thanks.
CVE-2013-6954 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6954): The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.
