Your message dated Wed, 06 Jul 2011 02:47:59 +0000
with message-id <e1qei9f-0005mp...@franck.debian.org>
and subject line Bug#632786: fixed in libpng 1.5.2-2
has caused the Debian Bug report #632786,
regarding CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
632786: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632786
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpng
Tags: security patch
Severity: critical
https://bugzilla.redhat.com/show_bug.cgi?id=717084
Vincent Danen 2011-06-27 18:34:45 EDT
It was reported [1] that the fix for CVE-2004-0421 in libpng was
inadvertently reverted during the 1.2.23 development cycle. The
original flaw could be used to cause a denial of service via a
carefully-crafted PNG image.
This would affect all versions of libpng >=1.2.23, including 1.4.x and
1.5.x.
[1]
http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement
Vincent Danen 2011-06-27 18:43:19 EDT
Upstream fix is here:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
Huzaifa S. Sidhpurwala 2011-06-28 23:44:56 EDT
This has been assigned CVE-2011-2501:
http://www.openwall.com/lists/oss-security/2011/06/28/16
--- End Message ---
--- Begin Message ---
Source: libpng
Source-Version: 1.5.2-2
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:
libpng15-15-udeb_1.5.2-2_amd64.udeb
to main/libp/libpng/libpng15-15-udeb_1.5.2-2_amd64.udeb
libpng15-15_1.5.2-2_amd64.deb
to main/libp/libpng/libpng15-15_1.5.2-2_amd64.deb
libpng15-dev_1.5.2-2_amd64.deb
to main/libp/libpng/libpng15-dev_1.5.2-2_amd64.deb
libpng_1.5.2-2.debian.tar.bz2
to main/libp/libpng/libpng_1.5.2-2.debian.tar.bz2
libpng_1.5.2-2.dsc
to main/libp/libpng/libpng_1.5.2-2.dsc
libpng_1.5.2.orig.tar.bz2
to main/libp/libpng/libpng_1.5.2.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <ani...@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 06 Jul 2011 11:27:05 +1000
Source: libpng
Binary: libpng15-15 libpng15-dev libpng15-15-udeb
Architecture: source amd64
Version: 1.5.2-2
Distribution: experimental
Urgency: low
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Anibal Monsalve Salazar <ani...@debian.org>
Description:
libpng15-15 - PNG library - runtime
libpng15-15-udeb - PNG library - minimal runtime library (udeb)
libpng15-dev - PNG library - development
Closes: 632786
Changes:
libpng (1.5.2-2) experimental; urgency=low
.
* Fix 1-byte uninitialized memory reference in png_format_buffer()
Fix CVE-2011-2501
Add debian/patches/02-632786-CVE-2011-2501.patch
Closes: 632786
* Pass "-Zbzip2 -z9" to dpkg-deb
* Fix xc-package-type-in-debian-control
* Fix debian-rules-missing-recommended-target
Checksums-Sha1:
2f4227a7d32cd05adf9ea4bcf1ac77fb85ca6e1b 1772 libpng_1.5.2-2.dsc
db9658b1c7fcf65769bb01e773a703ce56389be5 790523 libpng_1.5.2.orig.tar.bz2
23bd6dd680db52f2accf3a75da0f1d4e80cf1489 14933 libpng_1.5.2-2.debian.tar.bz2
ccb7b4440cfb6624a51528ef93983d5a9c3ecb42 154734 libpng15-15_1.5.2-2_amd64.deb
5ccc8be59690b54b929bb4c6121928a5a7f4e256 279250 libpng15-dev_1.5.2-2_amd64.deb
bceaf9b0b9aaf0a9b5a13b9e49e2403b5a58130c 76536
libpng15-15-udeb_1.5.2-2_amd64.udeb
Checksums-Sha256:
c45003734f93383a441722785ba5259a51f72648d9e33e15aed52d3e56759dec 1772
libpng_1.5.2-2.dsc
15e45ed613586b65a4b81479bebcf4b560f2262b9593c9c09867f65a65c826b7 790523
libpng_1.5.2.orig.tar.bz2
1052d54782fda71da7a49692f07c8a490da5295d58dfaf169f3b572ea7b90af1 14933
libpng_1.5.2-2.debian.tar.bz2
07fbff0572448057e94a0d6419867577a398eda70ab7e4d75ad48638f1386495 154734
libpng15-15_1.5.2-2_amd64.deb
dee4707a8c12cb44ea7f468e97d83d37456f8b4e235bf16a8e70916694b33b13 279250
libpng15-dev_1.5.2-2_amd64.deb
ae8318db0d460e22416ac4ef93f04527d80ce8a049f85a4a4e453f954363efc4 76536
libpng15-15-udeb_1.5.2-2_amd64.udeb
Files:
d792d8237c15a544d097e4d6116a007d 1772 libs optional libpng_1.5.2-2.dsc
a003b37ed9afb0d9164eb7228421057c 790523 libs optional libpng_1.5.2.orig.tar.bz2
26d21691cf0efecb4cd26d3fa95be114 14933 libs optional
libpng_1.5.2-2.debian.tar.bz2
4fb8503c3add50cf40c5ea99b096c41a 154734 libs optional
libpng15-15_1.5.2-2_amd64.deb
fb47f2dfffcf82b99e12a1294ade05f6 279250 libdevel optional
libpng15-dev_1.5.2-2_amd64.deb
c706801d858a5bef344740633d6613da 76536 debian-installer extra
libpng15-15-udeb_1.5.2-2_amd64.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJOE8WjAAoJEHxWrP6UeJfYMXsQAMCe5hDatkJDzUi2Jq6cZ+Mr
H6uJKMeKe3vOccKTmcLDNKmFgtoUW3rwPESU43hQETmM3il8njDmPnEyxKd4KMCI
QQybHCqdZb6nAjhAE5KmUDY9o3a0kKtzUuQZRKNFgarOS7q0JVOrfiGcSIoHNtWh
VN2Z/9njdbZd43/m5KBF1jU1AGUgnghdxsC+qkJOmhZorPRSC9V1J06NUILSm1JI
TSxOnHU1dULMXuOGoHzkbuiiKfDTMUhF599qBhSSubyXVNYyy14UtpGowqmGRyzN
Cz12Laju2pL+igErDLVyekE0Nx5Xq4/dxslNkKrSqAI6NGjOfYhMVwJgzjAc35ye
6iPWWnJ+FkSMvDnWwsTSWUW6nOySwNiEbDpiZTOvnqOrKEbKFwgOAzuchL11zsg6
BcrJkNWRrRbCaQE9bCL1sNUpT1k6Wh0mEzjt9KQU0umnkYTxIAaaWEf3WOg9e46F
QIupRkMtDfS+7sR7LIoKUS0L2sDt9PJRyHiI6LAwWBwT23sq9ZSlTeixQ8cEfWq/
ZXo5hsdKcrQTXi49+Q1e7WV6DULh4VH/F6qCAiemIqz5WCiFQoggjIq6QM0LMB2B
/OORyf+LSh6fmPADDPOY96D2VAlM8HIktFmeiV/XoedTEFL1eRm/YAJODfCN7aV0
GzaFZW9lHcn60A+Q4ClL
=WkHW
-----END PGP SIGNATURE-----
--- End Message ---
