Security Advisory Updated libpng packages fix buffer overflow

Advisory: RHSA-2003:006-10
Type: Security Advisory
Severity: N/A
Issued on: 2003-01-15
Last updated on: 2003-01-15
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-1363

Details

Updated libpng packages are available that fix a buffer overflow vulnerability.

[Updated 15 Jan 2003]
Advisory updated to include libpng10 packages for Red Hat Linux 8.0.
libpng10 contains compatibility libraries used to run binaries that were
linked dynamically with libpng 1.0.x.

The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format.

Unpatched versions of libpng 1.2.1 and earlier do not correctly calculate
offsets, which leads to a buffer overflow and the possibility of arbitrary
code execution. This could be exploited by an attacker creating a
carefully crafted PNG file which could execute arbitrary code when the
victim views it.

Packages within Red Hat Linux, such as Mozilla, make use of the shared
libpng library. Therefore, all users are advised to upgrade to the errata
packages. For Red Hat Linux 8.0 the packages contain libpng 1.2.2 which is
not vulnerable to this issue. For Red Hat Linux 6.2, 7, 7.1, 7.2 and 7.3
the packages contain libpng 1.0.14 with a backported patch that corrects
this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/libpng-1.0.14-0.6x.4.src.rpm
Missing file		     81be743693b70221bc3d539279a4c2dc
 
IA-32:
ftp://updates.redhat.com/6.2/en/os/i386/libpng-1.0.14-0.6x.4.i386.rpm
Missing file		     dc976ce0f9f5a0e6afacf87978e10fdd
ftp://updates.redhat.com/6.2/en/os/i386/libpng-devel-1.0.14-0.6x.4.i386.rpm
Missing file		     f16e83385b2c4d512eefba519504a44e
 
Red Hat Linux 7.0
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/libpng-1.0.14-0.70.2.src.rpm
Missing file		     65fde055efb4caeca9c847f2b5036a78
 
IA-32:
ftp://updates.redhat.com/7.0/en/os/i386/libpng-1.0.14-0.70.2.i386.rpm
Missing file		     5d7db9565eed1a785fd7a03b75d221a5
ftp://updates.redhat.com/7.0/en/os/i386/libpng-devel-1.0.14-0.70.2.i386.rpm
Missing file		     c98488ae2ad9edaba3ce19d13ecdea87
 
Red Hat Linux 7.1
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/libpng-1.0.14-0.7x.4.src.rpm
Missing file		     00d5ba5b22ba86373f5b20cec920f72d
 
IA-32:
ftp://updates.redhat.com/7.1/en/os/i386/libpng-1.0.14-0.7x.4.i386.rpm
Missing file		     7b1507aa0d479257e888c267deefe757
ftp://updates.redhat.com/7.1/en/os/i386/libpng-devel-1.0.14-0.7x.4.i386.rpm
Missing file		     723342e918bcfe3343526a9cc483ba3d
 
Red Hat Linux 7.2
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/libpng-1.0.14-0.7x.4.src.rpm
Missing file		     00d5ba5b22ba86373f5b20cec920f72d
 
IA-32:
ftp://updates.redhat.com/7.2/en/os/i386/libpng-1.0.14-0.7x.4.i386.rpm
Missing file		     7b1507aa0d479257e888c267deefe757
ftp://updates.redhat.com/7.2/en/os/i386/libpng-devel-1.0.14-0.7x.4.i386.rpm
Missing file		     723342e918bcfe3343526a9cc483ba3d
 
IA-64:
ftp://updates.redhat.com/7.2/en/os/ia64/libpng-1.0.14-0.7x.4.ia64.rpm
Missing file		     a5da2a1a78fc0a0c5cd5e20a8168548c
ftp://updates.redhat.com/7.2/en/os/ia64/libpng-devel-1.0.14-0.7x.4.ia64.rpm
Missing file		     e445bca70299635ac6f05c2b7b55ca20
 
Red Hat Linux 7.3
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/libpng-1.0.14-0.7x.4.src.rpm
Missing file		     00d5ba5b22ba86373f5b20cec920f72d
 
IA-32:
ftp://updates.redhat.com/7.3/en/os/i386/libpng-1.0.14-0.7x.4.i386.rpm
Missing file		     7b1507aa0d479257e888c267deefe757
ftp://updates.redhat.com/7.3/en/os/i386/libpng-devel-1.0.14-0.7x.4.i386.rpm
Missing file		     723342e918bcfe3343526a9cc483ba3d
 
Red Hat Linux 8.0
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/libpng-1.2.2-8.src.rpm
Missing file		     3969141f549de973eb1e0f8e0730e22e
ftp://updates.redhat.com/8.0/en/os/SRPMS/libpng10-1.0.13-6.src.rpm
Missing file		     94304b42e3ad180c384f521782bc2071
 
IA-32:
ftp://updates.redhat.com/8.0/en/os/i386/libpng-1.2.2-8.i386.rpm
Missing file		     65f374f46b9b03de4c162ef0052a6fe1
ftp://updates.redhat.com/8.0/en/os/i386/libpng-devel-1.2.2-8.i386.rpm
Missing file		     55f87f85687d29e92a6cc4e9bc7dd5cd
ftp://updates.redhat.com/8.0/en/os/i386/libpng10-1.0.13-6.i386.rpm
Missing file		     0f1806af8e4388419de2d7ace074c2ed
ftp://updates.redhat.com/8.0/en/os/i386/libpng10-devel-1.0.13-6.i386.rpm
Missing file		     0e773f163458dbeb9da90bbf5c2a400e
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1363

Keywords

buffer, flaw:buf, libpng, overflow

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/