Skip to navigation

Security Advisory Moderate: libpng security update

Advisory: RHSA-2011:1104-1
Type: Security Advisory
Severity: Moderate
Issued on: 2011-07-28
Last updated on: 2011-07-28
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2011-2690
CVE-2011-2692

Details

Updated libpng packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

A buffer overflow flaw was found in the way libpng processed certain PNG
image files. An attacker could create a specially-crafted PNG image that,
when opened, could cause an application using libpng to crash or,
potentially, execute arbitrary code with the privileges of the user running
the application. (CVE-2011-2690)

Note: The application behavior required to exploit CVE-2011-2690 is rarely
used. No application shipped with Red Hat Enterprise Linux behaves this
way, for example.

An uninitialized memory read issue was found in the way libpng processed
certain PNG images that use the Physical Scale (sCAL) extension. An
attacker could create a specially-crafted PNG image that, when opened,
could cause an application using libpng to crash. (CVE-2011-2692)

Users of libpng should upgrade to these updated packages, which contain
backported patches to correct these issues. All running applications using
libpng must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
libpng-1.2.10-7.1.el5_7.5.src.rpm
File outdated by:  RHSA-2012:0523
    MD5: 6ee9848abc776c807bd54b3535271c77
SHA-256: d2631e39c83181c2b39b78877181a8b115b840ca0ac56d5ff0d2c64ad3adedef
 
IA-32:
libpng-devel-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 12ca7340c25a3e6cc8a88eece5f3d3bb
SHA-256: 8cfde6e092c1ddc2fc0140d216da0150e7214da602e73ed4ee7f3b60a00de09a
 
x86_64:
libpng-devel-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 12ca7340c25a3e6cc8a88eece5f3d3bb
SHA-256: 8cfde6e092c1ddc2fc0140d216da0150e7214da602e73ed4ee7f3b60a00de09a
libpng-devel-1.2.10-7.1.el5_7.5.x86_64.rpm
File outdated by:  RHSA-2012:0523
    MD5: c8d1ba9f749dfeb613096ce54c32f2d6
SHA-256: f80db99b5e14baa11c70652076a2b7fabc06ea2cea7aeda58597bf11da8b15d4
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
libpng-1.2.10-7.1.el5_7.5.src.rpm
File outdated by:  RHSA-2012:0523
    MD5: 6ee9848abc776c807bd54b3535271c77
SHA-256: d2631e39c83181c2b39b78877181a8b115b840ca0ac56d5ff0d2c64ad3adedef
 
IA-32:
libpng-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 0b543b71abfd507b6e12f4976c32482e
SHA-256: 8915c013a7ba825086902ff7cd28683bb1ec0a3600386f82ea5612386603bd45
libpng-devel-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 12ca7340c25a3e6cc8a88eece5f3d3bb
SHA-256: 8cfde6e092c1ddc2fc0140d216da0150e7214da602e73ed4ee7f3b60a00de09a
 
IA-64:
libpng-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 0b543b71abfd507b6e12f4976c32482e
SHA-256: 8915c013a7ba825086902ff7cd28683bb1ec0a3600386f82ea5612386603bd45
libpng-1.2.10-7.1.el5_7.5.ia64.rpm
File outdated by:  RHSA-2012:0523
    MD5: f75d7cf5ee909aaef888de5414ff9fff
SHA-256: 724f4f161e581fe52f7bbc9b8a0c72a1870908a89e4f000f5464309fdf432426
libpng-devel-1.2.10-7.1.el5_7.5.ia64.rpm
File outdated by:  RHSA-2012:0523
    MD5: 7c0555fb969b0deb9fede18bd5fdb391
SHA-256: f615b60865d10dec8dba86e21c53acd9b330617de541a96b401d4154717b0d35
 
PPC:
libpng-1.2.10-7.1.el5_7.5.ppc.rpm
File outdated by:  RHSA-2012:0523
    MD5: e05ad3266876d4028c4202428a097e1a
SHA-256: 5874370ffd8b5a36c7b8d710d2df5135ec8700cd456c57644fd98b1320447fae
libpng-1.2.10-7.1.el5_7.5.ppc64.rpm
File outdated by:  RHSA-2012:0523
    MD5: 0a20b54814b8f3dfdda85a1825599717
SHA-256: e2c059f0cbf7d7f33c22a0c23278118b137754f969e5ff2192a8d7b542f972e6
libpng-devel-1.2.10-7.1.el5_7.5.ppc.rpm
File outdated by:  RHSA-2012:0523
    MD5: e1cae8d339eff5a724b77722f1812a0f
SHA-256: 5b3d14d1b557c7b30aae110a8123a008f4b4e26982a3a40828023d7e6fe7ce41
libpng-devel-1.2.10-7.1.el5_7.5.ppc64.rpm
File outdated by:  RHSA-2012:0523
    MD5: 66e15b42aa5d21b7c052a87f7cee6da6
SHA-256: d5dff0ccc1fdb8aba358950e6cb2bd65da7a2295cb716164cf486a113c389abd
 
s390x:
libpng-1.2.10-7.1.el5_7.5.s390.rpm
File outdated by:  RHSA-2012:0523
    MD5: 17157e740dca5d28bfc63dff6585e5c3
SHA-256: d91226f5afa1c7005601b1d779bc10c6e96796ff7ec346fe5cf923378f8b4290
libpng-1.2.10-7.1.el5_7.5.s390x.rpm
File outdated by:  RHSA-2012:0523
    MD5: 44fafe630cf51688b82b7474bb08543a
SHA-256: 9bf5c0e4180cabd890258e06b8f9102354d825be9b73c5a61993009217303c87
libpng-devel-1.2.10-7.1.el5_7.5.s390.rpm
File outdated by:  RHSA-2012:0523
    MD5: d81efd7c38f7c12c864d2d50d9f83a3c
SHA-256: 07cc67aee61bf37763c90aba2303916d979a35e3d722f62ac779efc9f392e867
libpng-devel-1.2.10-7.1.el5_7.5.s390x.rpm
File outdated by:  RHSA-2012:0523
    MD5: 92da14a7fb67c96eaf77eb774424ae4f
SHA-256: 0b977494cea4bc4bc61501e67090b669772f5ad5407895fcb6a65d9f11e717ab
 
x86_64:
libpng-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 0b543b71abfd507b6e12f4976c32482e
SHA-256: 8915c013a7ba825086902ff7cd28683bb1ec0a3600386f82ea5612386603bd45
libpng-1.2.10-7.1.el5_7.5.x86_64.rpm
File outdated by:  RHSA-2012:0523
    MD5: c2614f3368365dc473adad66cd441092
SHA-256: b5b1ec2475bd1db99cb9e3d3cb0140d26c79f623b7100f1e294f174d19b13289
libpng-devel-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 12ca7340c25a3e6cc8a88eece5f3d3bb
SHA-256: 8cfde6e092c1ddc2fc0140d216da0150e7214da602e73ed4ee7f3b60a00de09a
libpng-devel-1.2.10-7.1.el5_7.5.x86_64.rpm
File outdated by:  RHSA-2012:0523
    MD5: c8d1ba9f749dfeb613096ce54c32f2d6
SHA-256: f80db99b5e14baa11c70652076a2b7fabc06ea2cea7aeda58597bf11da8b15d4
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
libpng-1.2.10-7.1.el5_7.5.src.rpm
File outdated by:  RHSA-2012:0523
    MD5: 6ee9848abc776c807bd54b3535271c77
SHA-256: d2631e39c83181c2b39b78877181a8b115b840ca0ac56d5ff0d2c64ad3adedef
 
IA-32:
libpng-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 0b543b71abfd507b6e12f4976c32482e
SHA-256: 8915c013a7ba825086902ff7cd28683bb1ec0a3600386f82ea5612386603bd45
 
x86_64:
libpng-1.2.10-7.1.el5_7.5.i386.rpm
File outdated by:  RHSA-2012:0523
    MD5: 0b543b71abfd507b6e12f4976c32482e
SHA-256: 8915c013a7ba825086902ff7cd28683bb1ec0a3600386f82ea5612386603bd45
libpng-1.2.10-7.1.el5_7.5.x86_64.rpm
File outdated by:  RHSA-2012:0523
    MD5: c2614f3368365dc473adad66cd441092
SHA-256: b5b1ec2475bd1db99cb9e3d3cb0140d26c79f623b7100f1e294f174d19b13289
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

720607 - CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray
720612 - CVE-2011-2692 libpng: Invalid read when handling empty sCAL chunks


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/