Your message dated Wed, 06 Jul 2011 00:18:31 +0000
with message-id <e1qefp1-00042v...@franck.debian.org>
and subject line Bug#632786: fixed in libpng 1.2.44-3
has caused the Debian Bug report #632786,
regarding CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
632786: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632786
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpng
Tags: security patch
Severity: critical
https://bugzilla.redhat.com/show_bug.cgi?id=717084
Vincent Danen 2011-06-27 18:34:45 EDT
It was reported [1] that the fix for CVE-2004-0421 in libpng was
inadvertently reverted during the 1.2.23 development cycle. The
original flaw could be used to cause a denial of service via a
carefully-crafted PNG image.
This would affect all versions of libpng >=1.2.23, including 1.4.x and
1.5.x.
[1]
http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement
Vincent Danen 2011-06-27 18:43:19 EDT
Upstream fix is here:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
Huzaifa S. Sidhpurwala 2011-06-28 23:44:56 EDT
This has been assigned CVE-2011-2501:
http://www.openwall.com/lists/oss-security/2011/06/28/16
--- End Message ---
--- Begin Message ---
Source: libpng
Source-Version: 1.2.44-3
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:
libpng12-0-udeb_1.2.44-3_amd64.udeb
to main/libp/libpng/libpng12-0-udeb_1.2.44-3_amd64.udeb
libpng12-0_1.2.44-3_amd64.deb
to main/libp/libpng/libpng12-0_1.2.44-3_amd64.deb
libpng12-dev_1.2.44-3_amd64.deb
to main/libp/libpng/libpng12-dev_1.2.44-3_amd64.deb
libpng3_1.2.44-3_all.deb
to main/libp/libpng/libpng3_1.2.44-3_all.deb
libpng_1.2.44-3.debian.tar.bz2
to main/libp/libpng/libpng_1.2.44-3.debian.tar.bz2
libpng_1.2.44-3.dsc
to main/libp/libpng/libpng_1.2.44-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <ani...@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 06 Jul 2011 10:04:32 +1000
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source all amd64
Version: 1.2.44-3
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Anibal Monsalve Salazar <ani...@debian.org>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Closes: 632786
Changes:
libpng (1.2.44-3) unstable; urgency=high
.
* Fixed 1-byte uninitialized memory reference in png_format_buffer()
Fix CVE-2011-2501
Add debian/patches/02-632786-CVE-2011-2501.patch
Closes: 632786
* Standards version is 3.9.2
* Fix xc-package-type-in-debian-control
* Fix debian-rules-missing-recommended-target
Checksums-Sha1:
49e14bc89ca7649dcebb2d81da1ef33f8589f4a9 1815 libpng_1.2.44-3.dsc
2801ad232db78dae4b2cd86dc84c0607dc6e7eb1 15675 libpng_1.2.44-3.debian.tar.bz2
8f5d8b82be3d0eb9d7522ac2c7b5757d4321390b 902 libpng3_1.2.44-3_all.deb
3a8898ad9b217538aadc8458c0951e2bf3fedbde 180866 libpng12-0_1.2.44-3_amd64.deb
d369ef18a8cb6fdf1bd6cb210ddb5df49add8433 272692 libpng12-dev_1.2.44-3_amd64.deb
574912a423146742325d886d456223eb4813fe58 73910
libpng12-0-udeb_1.2.44-3_amd64.udeb
Checksums-Sha256:
57e965a3deb0845fa5887b9e3fd28eb3084c832ce98a2ca87e3ac4f9c1ee283a 1815
libpng_1.2.44-3.dsc
5d3959fcfa0a02c90c575b8d4401ff83db2bbad4bf5a9fc1f7e79c265756bca0 15675
libpng_1.2.44-3.debian.tar.bz2
1713f24a5f8c872786054bc8221c3efc440a22eb58e45a34043633cb4586bfa9 902
libpng3_1.2.44-3_all.deb
e5dae674f9bcc907125dfeb899527f686e070542342ef146cf9fd309c33561e4 180866
libpng12-0_1.2.44-3_amd64.deb
2b47fa8aaa202d82353b0f6d7535479aa3d446e9467c17b3091599269043554b 272692
libpng12-dev_1.2.44-3_amd64.deb
69d242724e41df21f40f56ec74c839a2ae65281b3232a0a18fe2ee7d593ac2d8 73910
libpng12-0-udeb_1.2.44-3_amd64.udeb
Files:
2e446d8b967a7dc6b1b9eddc4d3985f9 1815 libs optional libpng_1.2.44-3.dsc
98a527ea562ec4192eb99eec1dc964fa 15675 libs optional
libpng_1.2.44-3.debian.tar.bz2
2495950052ff867fa4a6c4111a98515d 902 oldlibs optional libpng3_1.2.44-3_all.deb
927e7ec697a47bfb3ca8973830f06d15 180866 libs optional
libpng12-0_1.2.44-3_amd64.deb
239f411629e2e3d243dea2f27ccb928f 272692 libdevel optional
libpng12-dev_1.2.44-3_amd64.deb
71293936f931a2ca23e62ea53c3def94 73910 debian-installer extra
libpng12-0-udeb_1.2.44-3_amd64.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJOE6kHAAoJEHxWrP6UeJfYV9QP/2IiENiTM9E99xbG3QLCRKRl
8TkrjDWBdTK2TXW/xpe+9ALaseOzTFAx+YZiZZ0cgiHUTO2phwuYCa1mGh4ggAnG
HGW8OQoC0B97qIsObp1yRvweS323ycsfwJZAuiDTBxiRTc3bZUX2ydRGgQyXf90q
U56cZRBppRdr34E9bqETk2WLfVZ1Pq/nLjnpzFw/VSjSvbEyWOVzWgAb+zrQ0j2Z
C1cZ5HLdzxsbo6wKf8UaHvxGM7c7qzq1+J0Yanr/fjforO1PwsS+wamc8NUY2LUN
ydX9D31xaJQ0cnPXmUSeDMNV+8pR9bqW7jfdKqVJlfBlXvvdXyCMyT2kW1yODbVP
KTeDcQhthV3YtToaY2rwqEpIK/Qi/XYLk2gziMP9CD9IZPXiCS9RnAJqXIpPOIYI
GCjzJmaDd4G2naFgGLbwhCcV82sU4v1iCEYffYCK848oC4zguNK+uKU3XO+ivKOp
gh3OA4vK4v1XqFvcmQsLVJPVIM9ZaNGYVKcexKYSPJdYKsYGoAYE4T331oCLuJbL
gzeoyF1ziHDVJnEz/L9h2qB65iYeYGb4JOIAEp9tCmjKatwx8vr456KH9Aoaxhbg
mNCK4pu5Q5ihUnX89cbIcoeGvTs+rbEMoyCU1dGKVH+6ht1Z+M1MX8GZboQ4GKHT
OwtMTK7FuiZvwunjGdg9
=paTI
-----END PGP SIGNATURE-----
--- End Message ---
