From Mandrake advisory (http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:063) : A buffer overflow vulnerability was discovered in libpng due to a wrong calculation of some loop offset values. This buffer overflow can lead to Denial of Service or even remote compromise. This vulnerability was initially patched in January of 2003, but it has since been noted that fixes were required in two additional places that had not been corrected with the earlier patch. The OpenPKG advisory (http://www.openpkg.org/security/OpenPKG-SA-2004.030-png.html) lists several other affected packages : <= doxygen-1.3.7-20040507 (app-doc/doxygen) <= ghostscript-8.14-20040604 (app-text/ghostscript) <= kde-qt-3.2.3-20040429 (?) <= pdflib-5.0.3-20040625 (media-libs/pdflib) <= perl-tk-5.8.4-20040622 (dev-perl/perl-tk) <= qt-3.3.2-20040615 (x11-libs/qt) <= rrdtool-1.0.48-20040513 (net-analyzer/rrdtool) <= tetex-2.0.2-20040429 (app-text/tetex) <= wx-2.4.2-20040425 (?) I don't know which of them really include a vulnerable copy of libpng...
Created attachment 34898 [details, diff] Mandrake patch for CAN-2002-1363 Mandrake and OpenPKG talk about "2 additional places" were a fix is required to solve CAN-2002-1363. Here is the Mandrake patch (OpenPKG uses the same). Note that the PNG team did not issue a corrected patch, the one at http://www.libpng.org/pub/png/src/libpng-1.2.5-patch2-pngrtran.CAN-2002-1363.diff is still incomplete. We should merge this patch to the Gentoo patch.
Mike: you did the last cleanups on this, could you apply patch and bump ?
version bumped to 1.2.5-r7 and made stable for all arches since -r6 was stable and the patch changes very little
We probably don't have any other vulnerable package (since we link dynamically to libpng) so this is ready for a GLSA.
GLSA drafted: security please review
GLSA 200407-06