Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 272970 (CVE-2009-2042) - <media-libs/libpng-1.2.37: Information disclosure (CVE-2009-2042)
Summary: <media-libs/libpng-1.2.37: Information disclosure (CVE-2009-2042)
Status: RESOLVED FIXED
Alias: CVE-2009-2042
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/35346/
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-06 20:12 UTC by Alex Legler (RETIRED)
Modified: 2009-06-27 23:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-06 20:12:44 UTC 
From Secunia:

A vulnerability has been reported in libpng, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error when processing 1-bit interlaced images. This can be exploited to disclose uninitialised memory via specially crafted images having widths that are not divisible by 8.

The vulnerability is reported in versions prior to 1.2.37.

Solution:
Update to version 1.2.37.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-06 20:13:15 UTC 
base-system: Can we go stable with 1.2.37?
Comment 2 SpanKY gentoo-dev 2009-06-06 21:27:47 UTC 
no one has complained about it and usually broken libpng versions get noticed pretty quickly
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-06-07 12:59:50 UTC 
Arches, please test and mark stable:
=media-libs/libpng-1.2.37
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-07 16:22:27 UTC 
Stable on alpha.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-07 18:59:31 UTC 
Stable for HPPA.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-08 20:28:35 UTC 
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-06-10 14:16:31 UTC 
arm/ia64/m68k/s390/sh/sparc stable
Comment 8 Markus Meier gentoo-dev 2009-06-10 19:06:07 UTC 
amd64 stable
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-13 09:20:18 UTC 
CVE-2009-2042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2042):
  libpng before 1.2.37 does not properly parse 1-bit interlaced images
  with width values that are not divisible by 8, which causes libpng to
  include uninitialized bits in certain rows of a PNG file and might
  allow remote attackers to read portions of sensitive memory via
  "out-of-bounds pixels" in the file.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-06-16 19:21:18 UTC 
ppc64 done
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-06-21 14:07:57 UTC 
ppc done
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-21 14:15:48 UTC 
GLSA Voting: NO.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-21 18:41:46 UTC 
I'd say YES.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-21 18:42:03 UTC 
... and drafted.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-27 23:58:16 UTC 
GLSA 200906-01, thanks everyone.