Package name
libpng
Date
2011-10-17
Advisory ID
MDVSA-2011:151
Affected versions
MES5 i586 , MES5 x86_64 , 2010.1 i586 , 2010.1 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in libpng:

The png_format_buffer function in pngerror.c in libpng allows
remote attackers to cause a denial of service (application crash)
via a crafted PNG image that triggers an out-of-bounds read during
the copying of error-message data. NOTE: this vulnerability exists
because of a CVE-2004-0421 regression (CVE-2011-2501).

Buffer overflow in libpng, when used by an application that calls the
png_rgb_to_gray function but not the png_set_expand function, allows
remote attackers to overwrite memory with an arbitrary amount of data,
and possibly have unspecified other impact, via a crafted PNG image
(CVE-2011-2690).

The png_err function in pngerror.c in libpng makes a function call
using a NULL pointer argument instead of an empty-string argument,
which allows remote attackers to cause a denial of service (application
crash) via a crafted PNG image (CVE-2011-2691). NOTE: This does not
affect the binary packages in Mandriva, but could affect users if
PNG_NO_ERROR_TEXT is defined using the libpng-source-1.?.?? package.

The png_handle_sCAL function in pngrutil.c in libpng does not properly
handle invalid sCAL chunks, which allows remote attackers to cause
a denial of service (memory corruption and application crash) or
possibly have unspecified other impact via a crafted PNG image that
triggers the reading of uninitialized memory (CVE-2011-2692).

The updated packages have been patched to correct these issues.

Updated packages

MES5 i586

 2dc72977964282d6b9b71f02daf11875  mes5/i586/libpng3-1.2.31-2.4mdvmes5.2.i586.rpm
 3a7a29b3ce673a6023b2ebd69702de77  mes5/i586/libpng-devel-1.2.31-2.4mdvmes5.2.i586.rpm
 311e83f11ecca6e10492be05e93af450  mes5/i586/libpng-source-1.2.31-2.4mdvmes5.2.i586.rpm
 6e78659cd2132ab936672d26307508c3  mes5/i586/libpng-static-devel-1.2.31-2.4mdvmes5.2.i586.rpm 
 7716bbc53dbf07a4bcf647d19c872321  mes5/SRPMS/libpng-1.2.31-2.4mdvmes5.2.src.rpm

MES5 x86_64

 30fbcd1e778a334751efb67347896a74  mes5/x86_64/lib64png3-1.2.31-2.4mdvmes5.2.x86_64.rpm
 98f8b1bcae2ca325b95d84b03a8a21c3  mes5/x86_64/lib64png-devel-1.2.31-2.4mdvmes5.2.x86_64.rpm
 8388f578116a05c96b2ef54120b0966a  mes5/x86_64/lib64png-static-devel-1.2.31-2.4mdvmes5.2.x86_64.rpm
 e92d9e5a9d2cec26614e0073bf8772a4  mes5/x86_64/libpng-source-1.2.31-2.4mdvmes5.2.x86_64.rpm 
 7716bbc53dbf07a4bcf647d19c872321  mes5/SRPMS/libpng-1.2.31-2.4mdvmes5.2.src.rpm

2010.1 i586

 75cf5cc9e56f7cd3c621ea2ba8899df3  2010.1/i586/libpng3-1.2.43-1.2mdv2010.2.i586.rpm
 af2f3f6696d67efd19d2bf7cc30207da  2010.1/i586/libpng-devel-1.2.43-1.2mdv2010.2.i586.rpm
 5190271f8394e5114aeb3b9de6a679bc  2010.1/i586/libpng-source-1.2.43-1.2mdv2010.2.i586.rpm
 3d7b05502fd2c613f6e263c2bc4baf51  2010.1/i586/libpng-static-devel-1.2.43-1.2mdv2010.2.i586.rpm 
 4d26abf5f53ddfb40af4432b2ffe7215  2010.1/SRPMS/libpng-1.2.43-1.2mdv2010.2.src.rpm

2010.1 x86_64

 3a8041586d3f6a3666231ec9744efa30  2010.1/x86_64/lib64png3-1.2.43-1.2mdv2010.2.x86_64.rpm
 3baefc4e0b5f560382ef411349142810  2010.1/x86_64/lib64png-devel-1.2.43-1.2mdv2010.2.x86_64.rpm
 63db8d8b4313907f1b7d18ac4cf7c30f  2010.1/x86_64/lib64png-static-devel-1.2.43-1.2mdv2010.2.x86_64.rpm
 bb8d9ac1982ae3591e701f1e32193733  2010.1/x86_64/libpng-source-1.2.43-1.2mdv2010.2.x86_64.rpm 
 4d26abf5f53ddfb40af4432b2ffe7215  2010.1/SRPMS/libpng-1.2.43-1.2mdv2010.2.src.rpm

References