From ${URL} : http://sourceforge.net/p/libpng/bugs/199/ Use CVE-2013-7353 for "png_set_unknown_chunks in libpng/pngset.c ... Fixed in libpng-1.5.14beta08" ("has four integer overflow bugs" is apparently a typo of "has one integer overflow bug") Use CVE-2013-7354 for "The png_set_sPLT() and png_set_text_2() functions have a similar bug, which is fixed in libpng-1.5.14rc03" -- this has a different discoverer. The vendor mentions that internal calls use safe values. These issues could potentially affect applications that use the libpng API. Apparently no such applications were identified as part of the work on bug 199. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
From http://sourceforge.net/p/png-mng/mailman/message/32215052/ :"libpng10, 12, and 14 were not affected. Libpng15, 16, and 17beta were fixed in January 2013." The corrected versions are libpng-1.5.14 and libpng-1.6.0 as per http://sourceforge.net/p/libpng/bugs/199/ Both of these are already stabilized for later versions and cleaned up in current tree. Added to existing GLSA request.
CVE-2013-7354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7354): Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow. CVE-2013-7353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7353): Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.
This issue was resolved and addressed in GLSA 201408-06 at http://security.gentoo.org/glsa/glsa-201408-06.xml by GLSA coordinator Mikle Kolyada (Zlogene).