Hello, Please consider to update libpng in stable Best Regards, Aníbal Monsalve Salazar -- http://v7w.com/anibal
--- Begin Message ---
- To: Anibal Monsalve Salazar <anibal@debian.org>
- Subject: Bug#424729: marked as done (libpng: CVE-2007-2445 VU#684664: a grayscale image with a malformed tRNS chunk crashes libpng and mozilla)
- From: owner@bugs.debian.org (Debian Bug Tracking System)
- Date: Thu, 17 May 2007 00:48:10 +0000
- Message-id: <handler.424729.D424729.11793628348749.ackdone@bugs.debian.org>
- References: <E1HoU91-0000xp-0b@ries.debian.org> <20070517000247.GO20882@debianrules.debiancolombia.org>
Your message dated Thu, 17 May 2007 00:47:03 +0000 with message-id <E1HoU91-0000xp-0b@ries.debian.org> and subject line Bug#424729: fixed in libpng 1.2.15~beta5-2 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: libpng: CVE-2007-2445 VU#684664: a grayscale image with a malformed tRNS chunk crashes libpng and mozilla
- From: Aníbal Monsalve Salazar <anibal@debian.org>
- Date: Thu, 17 May 2007 10:02:47 +1000
- Message-id: <20070517000247.GO20882@debianrules.debiancolombia.org>
Package: libpng Severity: serious Tags: patch security CVE-2007-2445 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445 CERT Vulnerability Note VU#684664 http://www.kb.cert.org/vuls/id/684664 It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. The following patch fixes this problem: --- pngrutil.c 2006-12-08 12:21:12.000000000 +1100 +++ pngrutil.c 2007-05-09 17:19:54.000000000 +1000 @@ -1314,7 +1314,10 @@ } if (png_crc_finish(png_ptr, 0)) + { + png_ptr->num_trans = 0; return; + } png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, &(png_ptr->trans_values)); Aníbal Monsalve Salazar -- http://v7w.com/anibalAttachment: signature.asc
Description: Digital signature
--- End Message ------ Begin Message ---
- To: 424729-close@bugs.debian.org
- Subject: Bug#424729: fixed in libpng 1.2.15~beta5-2
- From: Anibal Monsalve Salazar <anibal@debian.org>
- Date: Thu, 17 May 2007 00:47:03 +0000
- Message-id: <E1HoU91-0000xp-0b@ries.debian.org>
Source: libpng Source-Version: 1.2.15~beta5-2 We believe that the bug you reported is fixed in the latest version of libpng, which is due to be installed in the Debian FTP archive: libpng12-0-udeb_1.2.15~beta5-2_i386.udeb to pool/main/libp/libpng/libpng12-0-udeb_1.2.15~beta5-2_i386.udeb libpng12-0_1.2.15~beta5-2_i386.deb to pool/main/libp/libpng/libpng12-0_1.2.15~beta5-2_i386.deb libpng12-dev_1.2.15~beta5-2_i386.deb to pool/main/libp/libpng/libpng12-dev_1.2.15~beta5-2_i386.deb libpng3_1.2.15~beta5-2_all.deb to pool/main/libp/libpng/libpng3_1.2.15~beta5-2_all.deb libpng_1.2.15~beta5-2.diff.gz to pool/main/libp/libpng/libpng_1.2.15~beta5-2.diff.gz libpng_1.2.15~beta5-2.dsc to pool/main/libp/libpng/libpng_1.2.15~beta5-2.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 424729@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 09 May 2007 17:34:02 +1000 Source: libpng Binary: libpng12-dev libpng12-0 libpng12-0-udeb libpng3 Architecture: source i386 all Version: 1.2.15~beta5-2 Distribution: unstable Urgency: high Maintainer: Anibal Monsalve Salazar <anibal@debian.org> Changed-By: Anibal Monsalve Salazar <anibal@debian.org> Description: libpng12-0 - PNG library - runtime libpng12-0-udeb - PNG library - minimal runtime library (udeb) libpng12-dev - PNG library - development libpng3 - PNG library - runtime Closes: 424729 Changes: libpng (1.2.15~beta5-2) unstable; urgency=high . * It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. Closes: #424729. - CVE-2007-2445 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2445 - CERT Vulnerability Note VU#684664 http://www.kb.cert.org/vuls/id/684664 Files: 6d2757d15e97d59208d022a6af57eafe 721 libs optional libpng_1.2.15~beta5-2.dsc d3370d82d4405825c18a2049f48ca2e4 14392 libs optional libpng_1.2.15~beta5-2.diff.gz 35963925bcfe06e90205cd5e8fd221a0 186534 libs optional libpng12-0_1.2.15~beta5-2_i386.deb e8c6269c88d58e42d0cfded17c807183 170838 libdevel optional libpng12-dev_1.2.15~beta5-2_i386.deb 938c98310339773a295aac070a47f3a8 884 oldlibs optional libpng3_1.2.15~beta5-2_all.deb 55867140aec4986f8da84be6da46dab7 67514 debian-installer extra libpng12-0-udeb_1.2.15~beta5-2_i386.udeb Package-Type: udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGS6KpipBneRiAKDwRAui1AJ4xkoDJePYT0iLgVFjOrgxyY2BaEgCgkqtu sOnu3pVg7tsf31WgTKCGibE= =95fq -----END PGP SIGNATURE-----
--- End Message ---
--- End Message ---
Attachment:
signature.asc
Description: Digital signature