Bug#572308: marked as done (CVE-2010-0205 VU#576029 libpng stalls on highly compressed ancillary chunks)

[Debian Bug Tracking System]

Your message dated Wed, 03 Mar 2010 06:33:02 +0000
with message-id <e1nmi8k-00059l...@ries.debian.org>
and subject line Bug#572308: fixed in libpng 1.2.43-1
has caused the Debian Bug report #572308,
regarding CVE-2010-0205 VU#576029 libpng stalls on highly compressed ancillary 
chunks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
572308: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572308
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpng
Version: 1.2.42-2
Severity: serious
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
https://www.kb.cert.org/vuls/id/576029

libpng stalls on highly compressed ancillary chunks

Libpng stalls and consumes large quantities of memory while processing
certain Portable Network Graphics (PNG) files.

When processing PNG files containing highly compressed ancillary chunks,
the png_decompress_chunk() function in libpng can consume large amounts
of CPU time and memory. This resource consumption may hang applications
that use libpng. More information is available in the PNG Development
Group security advisory and supplementary document, Defending Libpng
Applications Against Decompression Bombs.

This vulnerability could allow an unauthenticated, remote attacker to
cause a denial of service.

http://libpng.sourceforge.net/decompression_bombs.html

Libpng provides functions to limit memory consumption and number of
cached ancillary chunks. Applications that use libpng should use these
functions to set appropriate limits. Please see defense #2 in the
document Defending Libpng Applications Against Decompression Bombs (see
web page above) for more information.

Developers who build versions of libpng can choose to ignore ancillary
chunks by defining specific preprocessor macros. Please see defense #3
in the document Defending Libpng Applications Against Decompression
Bombs (see web page above) for more information. 

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: libpng
Source-Version: 1.2.43-1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.43-1_amd64.udeb
  to main/libp/libpng/libpng12-0-udeb_1.2.43-1_amd64.udeb
libpng12-0_1.2.43-1_amd64.deb
  to main/libp/libpng/libpng12-0_1.2.43-1_amd64.deb
libpng12-dev_1.2.43-1_amd64.deb
  to main/libp/libpng/libpng12-dev_1.2.43-1_amd64.deb
libpng3_1.2.43-1_all.deb
  to main/libp/libpng/libpng3_1.2.43-1_all.deb
libpng_1.2.43-1.debian.tar.bz2
  to main/libp/libpng/libpng_1.2.43-1.debian.tar.bz2
libpng_1.2.43-1.dsc
  to main/libp/libpng/libpng_1.2.43-1.dsc
libpng_1.2.43.orig.tar.bz2
  to main/libp/libpng/libpng_1.2.43.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 572...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <ani...@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 03 Mar 2010 16:44:47 +1100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source all amd64
Version: 1.2.43-1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Anibal Monsalve Salazar <ani...@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 572308
Changes: 
 libpng (1.2.43-1) unstable; urgency=high
 .
   * New upstream release
   * Fix CVE-2010-0205 and Cert VU#576029
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
     https://www.kb.cert.org/vuls/id/576029
     Do not stall and consume large quantities of memory while processing
     certain Portable Network Graphics (PNG) files
     Closes: 572308
Checksums-Sha1: 
 2afb9168f1ee49ece9ff19be7a5c3e93a3848645 1823 libpng_1.2.43-1.dsc
 28ea29305d233669ce565894a95151e4427d1f34 678799 libpng_1.2.43.orig.tar.bz2
 27d36018f49372093dda304a68db13e9e74708b5 14960 libpng_1.2.43-1.debian.tar.bz2
 f8f98e63bca43536321e2f57240072f04faafc72 872 libpng3_1.2.43-1_all.deb
 118da0037ecd7f0626451824eef2c558cb8cf5c0 179594 libpng12-0_1.2.43-1_amd64.deb
 270446161cc900b3e9ea569053c8f560583285af 271416 libpng12-dev_1.2.43-1_amd64.deb
 ccaac18232baa5a33309396f1fa4558f69ec6002 73448 
libpng12-0-udeb_1.2.43-1_amd64.udeb
Checksums-Sha256: 
 cd12c79d1fb6c7e81124400378761cb5811a7a8bce6c4169f6a92942b8ef7de7 1823 
libpng_1.2.43-1.dsc
 c76d5540b0c09e130497be8906e0acadbbf9e299d0aa2258d912c4ee7cacc82a 678799 
libpng_1.2.43.orig.tar.bz2
 cbf586b1db272e4922ddcdf2f35a4076397cfb8b99db75afd02191319af97951 14960 
libpng_1.2.43-1.debian.tar.bz2
 f5741aa06eb6ee5a36bf88bb9a40393de4cf4b7e91e5d3cad458d3d4557a6b1a 872 
libpng3_1.2.43-1_all.deb
 8b7cbae6d9a7b727e46c654f12ab076c7f25526a43df477def67cc1a2f875047 179594 
libpng12-0_1.2.43-1_amd64.deb
 de03dded93c909c7cb38d7b07df11cbd763d700eea380eb5140a66c170aab0bd 271416 
libpng12-dev_1.2.43-1_amd64.deb
 f223ff63a715b2fbe31542d7400d56047a7fbd4b522b528772f8ad1ab5414ece 73448 
libpng12-0-udeb_1.2.43-1_amd64.udeb
Files: 
 9ebf698635bd43f9a2fea30d493af58c 1823 libs optional libpng_1.2.43-1.dsc
 976909556e6613804d810405c1f72ce6 678799 libs optional 
libpng_1.2.43.orig.tar.bz2
 1e84623a6a42c04719e9e659c6c1407b 14960 libs optional 
libpng_1.2.43-1.debian.tar.bz2
 cce1469c247a81b118d3dbd5130bd316 872 oldlibs optional libpng3_1.2.43-1_all.deb
 9d599433ab8767726c2b4f9d6af05873 179594 libs optional 
libpng12-0_1.2.43-1_amd64.deb
 5c02a6570c9a30de97bc37b3dbb58f9c 271416 libdevel optional 
libpng12-dev_1.2.43-1_amd64.deb
 b0300c7de2de4272f358bfb9046cf469 73448 debian-installer extra 
libpng12-0-udeb_1.2.43-1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJLjgAmAAoJEHxWrP6UeJfYgLIP/3S2wqzBzz2SNYuRNQ9Jqs+7
Wt+apt9wNPGoqiNPsFUGYbYIEQIc/Y1DMEQ8sArbUUI35ZD6KXJyWuTI7gKpIuh8
ZsJskx8HjQlTTF6S3WmGST7HtZpQiH83XJvL/PPpvDAU9XUonNz0lklIBIY2R4tc
Pxotd/CLk7XBO6iDAEO0TTH3doygfK7JRkRalSs9oVmz6Uln34L/5B1wPDLA7wDa
o++rmVuGmZZDQRqpsZvdNbix+aMcwqICmolPxDQ79xhd/IeY1VzMI/UhwbfiqelV
wEEqzsiVQ4NCm3ruzbOg8MWrG8h4KIGpltCp2XmJLyKpvMYpbOPCuhpw2f5WFzSc
abRut/r1DgP/HBIv8Zc24577HG0ntf14f/2NJUI35acXFdlmUJt8KJklikSZsg4Z
bpGQOiaXvSwK5RQ8I5iNeFDNs4CQYEjQ7wuExjvrgePFKa6Qa2KC/dYxCHjUFrix
OJD1phR7QwSXvIUt9CnnKJwQH7W2cV0PIack/52J2RwYUwSuc8EwGXnVPl3ovKfX
IM2IS3uhYO6xlNJTbyH18Ths3ceurXeE5fgav6xQoz+obJOWywcIoxYRZ6ymnI84
L7mS2npq1l8SfLuu6V+iqLYi3iPJiTKrL1Yc3ZYrm1Js1KUGJI1ElDFnt31S2zPl
k2teJLAFHfnTKskmvHGq
=Ayeb
-----END PGP SIGNATURE-----

--- End Message ---