Libpng: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201010-01 / libpng |
| Release Date |
October 05, 2010 |
| Latest Revision |
October 15, 2012: 6 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| media-libs/libpng |
<
1.4.3 |
>=
1.4.3,
revision >=
1.2.46,
revision >=
1.2.47,
revision >=
1.2.49,
revision >=
1.2.50 |
All supported architectures
|
Related bugreports:
#307637, #324153, #335887
Synopsis
Multiple vulnerabilities in libpng might lead to privilege
escalation or a Denial of Service.
2.
Impact Information
Background
libpng is a standard library used to process PNG (Portable Network
Graphics) images. It is used by several programs, including web browsers
and potentially server processes.
Description
Multiple vulnerabilities were found in libpng:
- The png_decompress_chunk() function in pngrutil.c does not properly
handle certain type of compressed data (CVE-2010-0205)
- A buffer overflow in pngread.c when using progressive applications
(CVE-2010-1205)
- A memory leak in pngrutil.c when dealing with a certain type of
chunks (CVE-2010-2249)
Impact
An attacker could exploit these vulnerabilities to cause programs linked
against the library to crash or execute arbitrary code with the
permissions of the user running the vulnerable program, which could be
the root user.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All libpng 1.4 users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.4.3"
|
All libpng 1.2 users should upgrade to the latest version:
Code Listing 3.2: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.46"
|
4.
References
|
