lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1GkpeK-0005E5-IR@mercury.mandriva.com>
Date: Thu, 16 Nov 2006 15:24:00 -0700
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDKSA-2006:209 ] - Updated libpng packages fix
	vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:209
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : libpng
 Date    : November 16, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Buffer overflow in the png_decompress_chunk function in pngrutil.c in
 libpng before 1.2.12 allows context-dependent attackers to cause a
 denial of service and possibly execute arbitrary code via unspecified
 vectors related to "chunk error processing," possibly involving the
 "chunk_name". (CVE-2006-3334)

 It is questionable whether this issue is actually exploitable, but the
 patch to correct the issue has been included in versions < 1.2.12.

 Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a
 typo in png_set_sPLT() that may cause an application using libpng to
 read out of bounds, resulting in a crash. (CVE-2006-5793)

 Packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 45ad162b09535faffbcac12958fe49b6  2006.0/i586/libpng3-1.2.8-1.2.20060mdk.i586.rpm
 d606c712b0fe3cb2846aa6e7d055e734  2006.0/i586/libpng3-devel-1.2.8-1.2.20060mdk.i586.rpm
 2205db07f1fd59257fa7eada8c8f695d  2006.0/i586/libpng3-static-devel-1.2.8-1.2.20060mdk.i586.rpm 
 7b6c834aaf600fc44a64fa08cdd6961f  2006.0/SRPMS/libpng-1.2.8-1.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 f977af66ce569366e9a44e4c1a73b715  2006.0/x86_64/lib64png3-1.2.8-1.2.20060mdk.x86_64.rpm
 878c585798862bd39a27422252573213  2006.0/x86_64/lib64png3-devel-1.2.8-1.2.20060mdk.x86_64.rpm
 4220979712677c242d3e203650ff5236  2006.0/x86_64/lib64png3-static-devel-1.2.8-1.2.20060mdk.x86_64.rpm 
 7b6c834aaf600fc44a64fa08cdd6961f  2006.0/SRPMS/libpng-1.2.8-1.2.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 9906d24fb91a92049217263cf0128bfc  2007.0/i586/libpng3-1.2.12-2.2mdv2007.0.i586.rpm
 2d8452c09aca5596b29a1392aa250f2e  2007.0/i586/libpng3-devel-1.2.12-2.2mdv2007.0.i586.rpm
 38829f47379a45ecfcc9061078b24489  2007.0/i586/libpng3-static-devel-1.2.12-2.2mdv2007.0.i586.rpm 
 503559d5befe0d3b557422359ca2cb7a  2007.0/SRPMS/libpng-1.2.12-2.2mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 1a51b7fe5aabda61d420a573e5fe240e  2007.0/x86_64/lib64png3-1.2.12-2.2mdv2007.0.x86_64.rpm
 bb66b6392ad998e1e697c9cb1171687b  2007.0/x86_64/lib64png3-devel-1.2.12-2.2mdv2007.0.x86_64.rpm
 232a26557eb1069284ed5ada81492221  2007.0/x86_64/lib64png3-static-devel-1.2.12-2.2mdv2007.0.x86_64.rpm 
 503559d5befe0d3b557422359ca2cb7a  2007.0/SRPMS/libpng-1.2.12-2.2mdv2007.0.src.rpm

 Corporate 3.0:
 881d961819f17791dd2348c2b38153f7  corporate/3.0/i586/libpng3-1.2.5-10.7.C30mdk.i586.rpm
 87b087c74ba0466ee6a6aa487c6d7159  corporate/3.0/i586/libpng3-devel-1.2.5-10.7.C30mdk.i586.rpm
 5ae5cb1afdf63d50292a0d309f2789da  corporate/3.0/i586/libpng3-static-devel-1.2.5-10.7.C30mdk.i586.rpm 
 3ed80f4657a551ebfff3cb87912ee8bc  corporate/3.0/SRPMS/libpng-1.2.5-10.7.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 2ab9e03623fb035928ba711818742bd3  corporate/3.0/x86_64/lib64png3-1.2.5-10.7.C30mdk.x86_64.rpm
 dd2480239ee424f20a460fa2a087fcdf  corporate/3.0/x86_64/lib64png3-devel-1.2.5-10.7.C30mdk.x86_64.rpm
 43ea6b6e435e31978bc54495972e2828  corporate/3.0/x86_64/lib64png3-static-devel-1.2.5-10.7.C30mdk.x86_64.rpm 
 3ed80f4657a551ebfff3cb87912ee8bc  corporate/3.0/SRPMS/libpng-1.2.5-10.7.C30mdk.src.rpm

 Corporate 4.0:
 27c277f505d08abde9ba7ef6ec17123e  corporate/4.0/i586/libpng3-1.2.8-1.2.20060mlcs4.i586.rpm
 dc70e227da5ec0514d5056319f336076  corporate/4.0/i586/libpng3-devel-1.2.8-1.2.20060mlcs4.i586.rpm
 6d267d5422d0e3e9e2868398ed1c8864  corporate/4.0/i586/libpng3-static-devel-1.2.8-1.2.20060mlcs4.i586.rpm 
 462209b43657d92d6468b161eb779911  corporate/4.0/SRPMS/libpng-1.2.8-1.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 090b1f0b32a0b980681b35c8aec5f323  corporate/4.0/x86_64/lib64png3-1.2.8-1.2.20060mlcs4.x86_64.rpm
 96f0df2464cc042fc9fabfd3b1304d7a  corporate/4.0/x86_64/lib64png3-devel-1.2.8-1.2.20060mlcs4.x86_64.rpm
 818a20ce635900040bc7ff3a1b330e38  corporate/4.0/x86_64/lib64png3-static-devel-1.2.8-1.2.20060mlcs4.x86_64.rpm 
 462209b43657d92d6468b161eb779911  corporate/4.0/SRPMS/libpng-1.2.8-1.2.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 c2faf16ec4411b18adf61729e8cc285e  mnf/2.0/i586/libpng3-1.2.5-10.7.M20mdk.i586.rpm
 52c3ea1ea57c1574d66bc62dab0b3df6  mnf/2.0/i586/libpng3-devel-1.2.5-10.7.M20mdk.i586.rpm
 ba313a457f4647177ad33ba7fab48d4e  mnf/2.0/i586/libpng3-static-devel-1.2.5-10.7.M20mdk.i586.rpm 
 9cb65939c4d3165b2c806ae5b64cab08  mnf/2.0/SRPMS/libpng-1.2.5-10.7.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFXLdcmqjQ0CJFipgRAhDYAJ92K8724DBC+sLsJIxWCpyMCb32rACcDd5R
sgDMNY3YOYC5pPDKaAoviMM=
=vlRo
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ