Security Advisory Moderate: libpng security update

Advisory: RHSA-2009:0340-3
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-04
Last updated on: 2009-03-04
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
OVAL: com.redhat.rhsa-20090340.xml
CVEs (cve.mitre.org): CVE-2009-0040

Details

Updated libpng and libpng10 packages that fix a security issue are now
available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

A flaw was discovered in libpng that could result in libpng trying to
free() random memory if certain, unlikely error conditions occurred. If a
carefully-crafted PNG file was loaded by an application linked against
libpng, it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application.
(CVE-2009-0040)

Users of libpng and libpng10 should upgrade to these updated packages,
which contain backported patches to correct these issues. All running
applications using libpng or libpng10 must be restarted for the update to
take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
libpng-1.2.2-29.src.rpm     0580d638c4c02bd501a6e76c849c1e7f
libpng10-1.0.13-20.src.rpm     34101ca8a8ed059809f34f02b84030c7
 
IA-32:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-devel-1.2.2-29.i386.rpm     0f212caeb3ffb252e93cd4c2593770c0
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-devel-1.0.13-20.i386.rpm     f5d9bac00f95a05d2f680af46c873eb4
 
x86_64:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-1.2.2-29.x86_64.rpm     c1bf4d2a38c5a09276562beac29e7817
libpng-devel-1.2.2-29.x86_64.rpm     8b00ad3c68ca94ed083a09bca41bed96
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-1.0.13-20.x86_64.rpm     53eeeccff78a52d4d8027af282520729
libpng10-devel-1.0.13-20.x86_64.rpm     2ea006cbe44cf1c903906a5040ba3c07
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
libpng-1.2.2-29.src.rpm     0580d638c4c02bd501a6e76c849c1e7f
libpng10-1.0.13-20.src.rpm     34101ca8a8ed059809f34f02b84030c7
 
IA-32:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-devel-1.2.2-29.i386.rpm     0f212caeb3ffb252e93cd4c2593770c0
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-devel-1.0.13-20.i386.rpm     f5d9bac00f95a05d2f680af46c873eb4
 
IA-64:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-1.2.2-29.ia64.rpm     94924f3a62ffaa74a4c937a21bb78f21
libpng-devel-1.2.2-29.ia64.rpm     f4ed99b072a3793a45d99f602e9190b7
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-1.0.13-20.ia64.rpm     8f4df6a65a64e22d721217f10660d76a
libpng10-devel-1.0.13-20.ia64.rpm     c7bf68925cc72b61525bbf7976b1d8c5
 
PPC:
libpng-1.2.2-29.ppc.rpm     5f5fb40856292947910b9e64f58883c8
libpng-1.2.2-29.ppc64.rpm     9e5feedb5305afbcd85afe5517633924
libpng-devel-1.2.2-29.ppc.rpm     8a90371fb74511d1654e25ccc7ab2130
libpng10-1.0.13-20.ppc.rpm     ea1309f8b6925ff69f38f7267bfe4d97
libpng10-1.0.13-20.ppc64.rpm     d0cc9a1372eeef741322fb5abbf03c7e
libpng10-devel-1.0.13-20.ppc.rpm     d0d8092ea5d9365807dde38db4dd33a5
 
s390:
libpng-1.2.2-29.s390.rpm     68b2b9624ca33dfe71141555243403c7
libpng-devel-1.2.2-29.s390.rpm     bb77ae3804db908eeb43eaabf4ce70d6
libpng10-1.0.13-20.s390.rpm     415976f0ef8b69fd3380a8bf657d1f3c
libpng10-devel-1.0.13-20.s390.rpm     c9371c984901bb5db8e4f8b090eb0790
 
s390x:
libpng-1.2.2-29.s390.rpm     68b2b9624ca33dfe71141555243403c7
libpng-1.2.2-29.s390x.rpm     682ce5dd40b5ef27fcb15e2bc1e222a4
libpng-devel-1.2.2-29.s390x.rpm     1f5659e3ec0a5872d9f49a32d7e11482
libpng10-1.0.13-20.s390.rpm     415976f0ef8b69fd3380a8bf657d1f3c
libpng10-1.0.13-20.s390x.rpm     a57833cac94b1febac303deeabd4c1db
libpng10-devel-1.0.13-20.s390x.rpm     8867541429a33f470a93af77c44970dd
 
x86_64:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-1.2.2-29.x86_64.rpm     c1bf4d2a38c5a09276562beac29e7817
libpng-devel-1.2.2-29.x86_64.rpm     8b00ad3c68ca94ed083a09bca41bed96
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-1.0.13-20.x86_64.rpm     53eeeccff78a52d4d8027af282520729
libpng10-devel-1.0.13-20.x86_64.rpm     2ea006cbe44cf1c903906a5040ba3c07
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
libpng-1.2.2-29.src.rpm     0580d638c4c02bd501a6e76c849c1e7f
libpng10-1.0.13-20.src.rpm     34101ca8a8ed059809f34f02b84030c7
 
IA-32:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-devel-1.2.2-29.i386.rpm     0f212caeb3ffb252e93cd4c2593770c0
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-devel-1.0.13-20.i386.rpm     f5d9bac00f95a05d2f680af46c873eb4
 
IA-64:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-1.2.2-29.ia64.rpm     94924f3a62ffaa74a4c937a21bb78f21
libpng-devel-1.2.2-29.ia64.rpm     f4ed99b072a3793a45d99f602e9190b7
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-1.0.13-20.ia64.rpm     8f4df6a65a64e22d721217f10660d76a
libpng10-devel-1.0.13-20.ia64.rpm     c7bf68925cc72b61525bbf7976b1d8c5
 
x86_64:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-1.2.2-29.x86_64.rpm     c1bf4d2a38c5a09276562beac29e7817
libpng-devel-1.2.2-29.x86_64.rpm     8b00ad3c68ca94ed083a09bca41bed96
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-1.0.13-20.x86_64.rpm     53eeeccff78a52d4d8027af282520729
libpng10-devel-1.0.13-20.x86_64.rpm     2ea006cbe44cf1c903906a5040ba3c07
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
libpng-1.2.2-29.src.rpm     0580d638c4c02bd501a6e76c849c1e7f
libpng10-1.0.13-20.src.rpm     34101ca8a8ed059809f34f02b84030c7
 
IA-32:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-devel-1.2.2-29.i386.rpm     0f212caeb3ffb252e93cd4c2593770c0
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-devel-1.0.13-20.i386.rpm     f5d9bac00f95a05d2f680af46c873eb4
 
IA-64:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-1.2.2-29.ia64.rpm     94924f3a62ffaa74a4c937a21bb78f21
libpng-devel-1.2.2-29.ia64.rpm     f4ed99b072a3793a45d99f602e9190b7
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-1.0.13-20.ia64.rpm     8f4df6a65a64e22d721217f10660d76a
libpng10-devel-1.0.13-20.ia64.rpm     c7bf68925cc72b61525bbf7976b1d8c5
 
x86_64:
libpng-1.2.2-29.i386.rpm     733b4018d598a9cf037cc80c969743b1
libpng-1.2.2-29.x86_64.rpm     c1bf4d2a38c5a09276562beac29e7817
libpng-devel-1.2.2-29.x86_64.rpm     8b00ad3c68ca94ed083a09bca41bed96
libpng10-1.0.13-20.i386.rpm     3ad42fc0853d98fd0567ac66d75e5d3f
libpng10-1.0.13-20.x86_64.rpm     53eeeccff78a52d4d8027af282520729
libpng10-devel-1.0.13-20.x86_64.rpm     2ea006cbe44cf1c903906a5040ba3c07
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

486355 - CVE-2009-0040 libpng arbitrary free() flaw


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/