Your message dated Tue, 20 Jul 2010 01:55:51 +0000
with message-id <e1ob23j-0000pt...@franck.debian.org>
and subject line Bug#587670: fixed in libpng 1.2.27-2+lenny4
has caused the Debian Bug report #587670,
regarding libpng: CVE-2010-1205 and CVE-2010-2249
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
587670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587670
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libpng
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libpng.
Upstream's announcement:
> Several versions of libpng through 1.4.2 (and through 1.2.43 in the older
> series) contain a bug whereby progressive applications such as web
> browsers (or the rpng2 demo app included in libpng) could receive an extra
> row of image data beyond the height reported in the header, potentially
> leading to an out-of-bounds write to memory (depending on how the
> application is written) and the possibility of execution of an attacker's
> code with the privileges of the libpng user.
For which CVE-2010-1205 was assigned.
> An additional memory-leak bug, involving images with malformed sCAL
> chunks, is also present; it could lead to an application crash (denial of
> service) when viewing such images.
CVE-2010-2249
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry. If possible, please provide packages for
stable (to be released via the security archive.)
Thanks!
For further information see:
http://www.libpng.org/pub/png/libpng.html
https://bugzilla.redhat.com/CVE-2010-2249
Could you also please investigate the following and tell us what your plans
are regarding it?
https://bugzilla.redhat.com/show_bug.cgi?id=608644#c10
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: libpng
Source-Version: 1.2.27-2+lenny4
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:
libpng12-0-udeb_1.2.27-2+lenny4_i386.udeb
to main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny4_i386.udeb
libpng12-0_1.2.27-2+lenny4_i386.deb
to main/libp/libpng/libpng12-0_1.2.27-2+lenny4_i386.deb
libpng12-dev_1.2.27-2+lenny4_i386.deb
to main/libp/libpng/libpng12-dev_1.2.27-2+lenny4_i386.deb
libpng3_1.2.27-2+lenny4_all.deb
to main/libp/libpng/libpng3_1.2.27-2+lenny4_all.deb
libpng_1.2.27-2+lenny4.diff.gz
to main/libp/libpng/libpng_1.2.27-2+lenny4.diff.gz
libpng_1.2.27-2+lenny4.dsc
to main/libp/libpng/libpng_1.2.27-2+lenny4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 587...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 17 Jul 2010 12:03:12 +0200
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source i386 all
Version: 1.2.27-2+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Closes: 587670
Changes:
libpng (1.2.27-2+lenny4) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-1205: Buffer overflow in pngpread.c (Closes: #587670)
* Fixed CVE-2010-2249: Memory leak in pngrutil.c
Checksums-Sha1:
a7a77a986f3e797dcd0e55874320ab1164b1663b 1201 libpng_1.2.27-2+lenny4.dsc
6c739cb8c0679c8b9bc8ce51ec062be5b165cd62 21437 libpng_1.2.27-2+lenny4.diff.gz
9605bbb1af7ed997df40846cf189be686d4a6b0f 166290
libpng12-0_1.2.27-2+lenny4_i386.deb
5d1dbc062ff5da9c20fba049e4263e0520f4a161 245468
libpng12-dev_1.2.27-2+lenny4_i386.deb
2780fa284affbbe0980432bac700fe8a28f0ba50 886 libpng3_1.2.27-2+lenny4_all.deb
7d3f39d36c7a42d66a73157dfb8fe12172aeda50 70118
libpng12-0-udeb_1.2.27-2+lenny4_i386.udeb
Checksums-Sha256:
ad04ae77cd05a5d123da213fa7da9d55f5c8dfb5537ff0afe9c58e2203252b05 1201
libpng_1.2.27-2+lenny4.dsc
b300bff9f0e0dc6b4a13242d163ff885f4c085603fe5cd2f4707a2633a6a0234 21437
libpng_1.2.27-2+lenny4.diff.gz
9d9ee710696c4f1fec13efc6e4fa5b1d7981314fd649570a82f65e343f487366 166290
libpng12-0_1.2.27-2+lenny4_i386.deb
dd0ec37f356e8129929ff18b008c527e5c4b9f6391625948b0cce4ce1c8e5db3 245468
libpng12-dev_1.2.27-2+lenny4_i386.deb
70603045e8f30c61d39be0eb8155fd91e68084298f4cde34d9c22f0a3c87990d 886
libpng3_1.2.27-2+lenny4_all.deb
36619c44f9cdd4390b3eae3c7e294cce613a474785c5340a417e81a6df4041f9 70118
libpng12-0-udeb_1.2.27-2+lenny4_i386.udeb
Files:
518a1f5c30a115dcb732e7499a2cef96 1201 libs optional libpng_1.2.27-2+lenny4.dsc
43e68a174233314cf49bb204abdd29b6 21437 libs optional
libpng_1.2.27-2+lenny4.diff.gz
70c41d2feb2aff02be6154cea7cec1f4 166290 libs optional
libpng12-0_1.2.27-2+lenny4_i386.deb
8b6e9b5424a8991c05734f90b00182a2 245468 libdevel optional
libpng12-dev_1.2.27-2+lenny4_i386.deb
94643952b104a6f231ed7d710e2ae95d 886 oldlibs optional
libpng3_1.2.27-2+lenny4_all.deb
e7c845ff2e87dc1dc2849ecac4428aa4 70118 debian-installer extra
libpng12-0-udeb_1.2.27-2+lenny4_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxBgZwACgkQNxpp46476arwDgCeNY/lY9b7X3RcfwnmoEDDDF6w
N9UAoICeJB3r9UTyfzOtfPj9HOrN60Sq
=Cn5k
-----END PGP SIGNATURE-----
--- End Message ---
