lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1WjnYW-00071l-F4@titan.mandriva.com>
Date: Mon, 12 May 2014 12:34:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:084 ] libpng

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:084
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libpng
 Date    : May 12, 2014
 Affected: Business Server 1.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Updated libpng packages fix security vulnerabilities:
 
 An integer overflow leading to a heap-based buffer overflow was found
 in the png_set_sPLT() and png_set_text_2() API functions of libpng. An
 attacker could create a specially-crafted image file and render it
 with an application written to explicitly call png_set_sPLT() or
 png_set_text_2() function, could cause libpng to crash or execute
 arbitrary code with the permissions of the  user running such an
 application (CVE-2013-7353).
 
 An integer overflow leading to a heap-based buffer overflow was found
 in the png_set_unknown_chunks() API function of libpng. An attacker
 could create a specially-crafted image file and render it with an
 application written to explicitly call png_set_unknown_chunks()
 function, could cause libpng to crash or execute arbitrary code
 with the permissions of the user running such an application
 (CVE-2013-7354).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7353
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7354
 http://advisories.mageia.org/MGASA-2014-0210.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 fba91d4dddfd5d97a53ac99cd3239522  mes5/i586/libpng3-1.2.31-2.9mdvmes5.2.i586.rpm
 5803ea66067570f58b5f394b1ea0b589  mes5/i586/libpng-devel-1.2.31-2.9mdvmes5.2.i586.rpm
 8bc59955b0acacaccb3c5f4e1ad52a58  mes5/i586/libpng-source-1.2.31-2.9mdvmes5.2.i586.rpm
 11f50bdcc6275afb49c97a408436633a  mes5/i586/libpng-static-devel-1.2.31-2.9mdvmes5.2.i586.rpm 
 ef40175e407503eb8f0a84cd3a090f24  mes5/SRPMS/libpng-1.2.31-2.9mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 e3171643a5f238734daced0dbfbfd488  mes5/x86_64/lib64png3-1.2.31-2.9mdvmes5.2.x86_64.rpm
 0a3ec8069a2f49e52b4f13953eb24ab0  mes5/x86_64/lib64png-devel-1.2.31-2.9mdvmes5.2.x86_64.rpm
 6e6fbb43962cb5d7f00ce2f0cefd0359  mes5/x86_64/lib64png-static-devel-1.2.31-2.9mdvmes5.2.x86_64.rpm
 d4df933db37f851959157ed255ec0a8d  mes5/x86_64/libpng-source-1.2.31-2.9mdvmes5.2.x86_64.rpm 
 ef40175e407503eb8f0a84cd3a090f24  mes5/SRPMS/libpng-1.2.31-2.9mdvmes5.2.src.rpm

 Mandriva Business Server 1/X86_64:
 039c39aa6d27e04b12a3aea331f6ec23  mbs1/x86_64/lib64png12_0-1.2.49-2.2.mbs1.x86_64.rpm
 d83f241ecfa8afd4e1c0e2c98f6c49df  mbs1/x86_64/lib64png12-devel-1.2.49-2.2.mbs1.x86_64.rpm
 7a168efd8963ec20538609119b81415c  mbs1/x86_64/lib64png15_15-1.5.10-2.2.mbs1.x86_64.rpm
 e81d8861af09789367f1e8164ee8009d  mbs1/x86_64/lib64png-devel-1.5.10-2.2.mbs1.x86_64.rpm 
 9fe79406a7c17f9c475e734fd2c6a859  mbs1/SRPMS/libpng12-1.2.49-2.2.mbs1.src.rpm
 ce17e2ddbe2025384cb3f32395589196  mbs1/SRPMS/libpng-1.5.10-2.2.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTcHeImqjQ0CJFipgRApNjAKCWkzVeiocL23s04OZBtyTf7vNj+QCgxv7S
SZu0h8tDlu6gO6sgquBcHgY=
=+T41
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ