[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] remote compromise due to libpng bug

Topic
=====
remote compromise due to buffer overflow in libpng

Problem Description
===================
The library libpng provides several functions to encode, decode and
manipulate Portable Network Graphics (PNG) image files.
Due to wrong calculation of some loop offset values a buffer overflow
can occur. The buffer overflow can lead to Denial-of-Service or even
to remote compromise.

After updating libpng all applications that use libpng should be
restarted. Due to the fact that a lot of applications are linked
with libpng it may be necessary to switch to runlevel S and back
to the previous runlevel or even to reboot the system.
In order to get an idea how many rpm packages depend on libpng you
can run (not as root) "rpm -e --test libpng".

Affected Versions
=================
all libpng versions upto 1.2.5

Solution
========
upgrade to patched version for your distribution

RedHat 6.2
----------
rpm -Fvh libpng-1.0.14-0.6x.4.i386.rpm libpng-devel-1.0.14-0.6x.4.i386.rpm

RedHat 7.0
----------
rpm -Fvh libpng-1.0.14-0.70.2.i386.rpm libpng-devel-1.0.14-0.70.2.i386.rpm

RedHat 7.1, 7.2, 7.3
--------------------
rpm -Fvh libpng-1.0.14-0.7x.4.i386.rpm libpng-devel-1.0.14-0.7x.4.i386.rpm

RedHat 8.0
----------
rpm -Fvh libpng-1.2.2-8.i386.rpm \
         libpng-devel-1.2.2-8.i386.rpm \
         libpng10-1.0.13-6.i386.rpm \
         libpng10-devel-1.0.13-6.i386.rpm

SuSE-7.1
--------
rpm -Fvh libpng-2.1.0.8-17.i386.rpm

SuSE-7.2
--------
rpm -Fvh libpng-2.1.0.10-57.i386.rpm

SuSE-7.3, 8.0
-------------
rpm -Fvh libpng-2.1.0.12-160.i386.rpm

SuSE-8.1
--------
rpm -Fvh libpng-1.2.4-58.i586.rpm

Debian 2.2 (potato)
-------------------
upgrade to libpng2_1.0.5-1.1_i386.deb, libpng2-dev_1.0.5-1.1_i386.deb

Debian 3.0 (woody)
------------------
upgrade to libpng2_1.0.12-3.woody.3_i386.deb, 
           libpng2-dev_1.0.12-3.woody.3_i386.deb,
           libpng3_1.2.1-1.1.woody.3_i386.deb,
           libpng-dev_1.2.1-1.1.woody.3_i386.deb

Mandrake 7.2
------------
rpm -Fvh libpng-1.0.8-2.2mdk.i586.rpm libpng-devel-1.0.8-2.2mdk.i586.rpm

Mandrake 8.0
------------
rpm -Fvh libpng-1.0.9-1.2mdk.i586.rpm libpng-devel-1.0.9-1.2mdk.i586.rpm

Mandrake 8.1
------------
rpm -Fvh libpng-1.0.12-2.2mdk.i586.rpm libpng-devel-1.0.12-2.2mdk.i586.rpm

Mandrake 8.2, 9.0
-----------------
rpm -Fvh libpng3-1.2.4-3.2mdk.i586.rpm \
         libpng3-devel-1.2.4-3.2mdk.i586.rpm \
         libpng3-static-devel-1.2.4-3.2mdk.i586.rpm