CORE 2:

Fedora Update Notification
FEDORA-2004-238
2004-08-04
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : libpng10
Version     : 1.0.15                      
Release     : 8                  
Summary     : Old version of libpng, needed to run old binaries.
Description :
The libpng10 package contains an old version of libpng, a library of
functions for creating and manipulating PNG (Portable Network Graphics)
image format files.

This package is needed if you want to run binaries that were linked
dynamically
with libpng 1.0.x.

---------------------------------------------------------------------
Update Information:

The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

During a source code audit, Chris Evans discovered several buffer
overflows in libpng. An attacker could create a carefully crafted PNG
file in such a way that it would cause an application linked with libpng
to execute arbitrary code when the file was opened by a victim. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0597 to these issues. 

In addition, this audit discovered a potential NULL pointer dereference
in libpng (CAN-2004-0598) and several integer overflow issues
(CAN-2004-0599). An attacker could create a carefully crafted PNG file
in such a way that it would cause an application linked with libpng to
crash when the file was opened by the victim.

Red Hat would like to thank Chris Evans for discovering these issues.

---------------------------------------------------------------------
* Fri Jul 23 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-8

- Build for FC2

* Fri Jul 23 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-7

- Replace the patches for individual security problems with the
  cumulative patch issued by the png developers.
- Build for FC1

* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Mon Jun 14 2004 Matthias Clasen <mclasen@redhat.com> - 1.0.15-5

- Rebuilt for FC2

* Mon Jun 14 2004 Matthias Clasen <mclasen@redhat.com> - 1.0.15-4

- Rebuilt for FC1

* Mon Jun 14 2004 Matthias Clasen <mclasen@redhat.com> - 1.0.15-3

- Reinstate and improve the transfix patch which got lost sometime ago, 
  but is still needed for CAN-2002-1363 (#125934)

* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-2

- Don't provide libpng-devel (#110161)

* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-1

- 1.0.15
- Update rhconf2 patch 
- Remove bogus badchunks patch (#89854)

* Mon May 03 2004 Matthias Clasen <mclasen@redhat.com> 1.0.13-13

- Redo the out-of-bounds fix in a slightly better way.

* Wed Apr 21 2004 Matthias Clasen <mclasen@redhat.com> 1.0.13-12

- Bump release number to disambiguate n-v-rs.

* Mon Apr 19 2004 Matthias Clasen <mclasen@redhat.com>

- fix a possible out-of-bounds read in the error message
  handler. #121229

* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Mon Jun 09 2003 Elliot Lee <sopwith@redhat.com>

- This package has no epochs! remove usage thereof

* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Tue Jun 03 2003 Jeff Johnson <jbj@redhat.com>

- add explicit epoch's where needed.

* Wed Jan 22 2003 Tim Powers <timp@redhat.com>

- rebuilt

* Wed Jan 15 2003 Elliot Lee <sopwith@redhat.com> 1.0.13-7

- Bump & rebuild

* Fri Dec 13 2002 Elliot Lee <sopwith@redhat.com> 1.0.13-6

- Rebuild, merging in multilib change

* Fri Jun 21 2002 Tim Powers <timp@redhat.com>

- automated rebuild

* Sun May 26 2002 Tim Powers <timp@redhat.com>

- automated rebuild

* Tue May 21 2002 Elliot Lee <sopwith@redhat.com> 1.0.13-3

- The package totally broke the backwards compatibility that it was
intended to provide.
  Fixed by setting soname to libpng.so.2, and only tweaking the build
(libpng*.{so,a}) files.
- Use _smp_mflags
- Fix rhconf patch because it was patching a symlink instead of the
actual file.
- Don't provide libpng = {version}, because then the package conflicts
with itself

* Thu May 09 2002 Jeremy Katz <katzj@redhat.com> 1.0.13-2

- rebuild

* Thu May 02 2002 Havoc Pennington <hp@redhat.com> 1.0.13-1

- upgrade to 1.0.13, plus patch tarball from libpng web site
- update rhconf patch to work with new makefiles

* Mon Mar 04 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.0.12-6

- Revert fix for #59988 as it introduces a worse problem, #60410

* Tue Feb 26 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.0.12-5

- Conflict with libpng < 1.2.0 (#59988)

* Wed Jan 30 2002 Bill Nottingham <notting@redhat.com> 1.0.12-4

- provide libpng = %{version}, libpng-devel = %{version}

* Wed Jan 09 2002 Tim Powers <timp@redhat.com>

- automated rebuild

* Fri Jan 04 2002 Bill Nottingham <notting@redhat.com> 1.0.12-2

- add devel stuff (we may change this around later)

* Wed Sep 19 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.0.12-1

- initial compat package


---------------------------------------------------------------------
This update can be downloaded from:
    

df256b5fd7568b39ea7e737eb4ede582  SRPMS/libpng10-1.0.15-8.src.rpm
0765cb769f591d9cbed2bb1ca02a6108  x86_64/libpng10-1.0.15-8.x86_64.rpm
49230b3792d80f80b8bcf4e81a5a5462 
x86_64/libpng10-devel-1.0.15-8.x86_64.rpm
87344871592251377c94b6eaa3215855 
x86_64/debug/libpng10-debuginfo-1.0.15-8.x86_64.rpm
6570d903af2d1e9d77523934cb6a73d9  i386/libpng10-1.0.15-8.i386.rpm
478673873b01f6013d8d73b099171443  i386/libpng10-devel-1.0.15-8.i386.rpm
99b03b2015ec3756c8640d74d5d93fcc 
i386/debug/libpng10-debuginfo-1.0.15-8.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

CORE 1:

Fedora Update Notification
FEDORA-2004-236
2004-08-04
---------------------------------------------------------------------

Product     : Fedora Core 1
Name        : libpng10
Version     : 1.0.15
Release     : 7
Summary     : Old version of libpng, needed to run old binaries.
Description :
The libpng10 package contains an old version of libpng, a library of
functions for creating and manipulating PNG (Portable Network Graphics)
image format files.

This package is needed if you want to run binaries that were linked
dynamically with libpng 1.0.x.

---------------------------------------------------------------------
Update Information:
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

During a source code audit, Chris Evans discovered several buffer
overflows in libpng. An attacker could create a carefully crafted PNG
file in such a way that it would cause an application linked with libpng
to execute arbitrary code when the file was opened by a victim. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0597 to these issues. 

In addition, this audit discovered a potential NULL pointer dereference
in libpng (CAN-2004-0598) and several integer overflow issues
(CAN-2004-0599). An attacker could create a carefully crafted PNG file
in such a way that it would cause an application linked with libpng to
crash when the file was opened by the victim.

Red Hat would like to thank Chris Evans for discovering these issues.

---------------------------------------------------------------------
* Fri Jul 23 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-7

- Replace the patches for individual security problems with the
  cumulative patch issued by the png developers.
- Build for FC1

* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Mon Jun 14 2004 Matthias Clasen <mclasen@redhat.com> - 1.0.15-5

- Rebuilt for FC2

* Mon Jun 14 2004 Matthias Clasen <mclasen@redhat.com> - 1.0.15-4

- Rebuilt for FC1

* Mon Jun 14 2004 Matthias Clasen <mclasen@redhat.com> - 1.0.15-3

- Reinstate and improve the transfix patch which got lost sometime ago,
  but is still needed for CAN-2002-1363 (#125934)

* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-2

- Don't provide libpng-devel (#110161)

* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-1

- 1.0.15
- Update rhconf2 patch
- Remove bogus badchunks patch (#89854)

* Mon May 03 2004 Matthias Clasen <mclasen@redhat.com> 1.0.13-13

- Redo the out-of-bounds fix in a slightly better way.

* Wed Apr 21 2004 Matthias Clasen <mclasen@redhat.com> 1.0.13-12

- Bump release number to disambiguate n-v-rs.

* Mon Apr 19 2004 Matthias Clasen <mclasen@redhat.com>

- fix a possible out-of-bounds read in the error message
  handler. #121229

* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Mon Jun 09 2003 Elliot Lee <sopwith@redhat.com>

- This package has no epochs! remove usage thereof

* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Tue Jun 03 2003 Jeff Johnson <jbj@redhat.com>

- add explicit epoch's where needed.

* Wed Jan 22 2003 Tim Powers <timp@redhat.com>

- rebuilt

* Wed Jan 15 2003 Elliot Lee <sopwith@redhat.com> 1.0.13-7

- Bump & rebuild

* Fri Dec 13 2002 Elliot Lee <sopwith@redhat.com> 1.0.13-6

- Rebuild, merging in multilib change

* Fri Jun 21 2002 Tim Powers <timp@redhat.com>

- automated rebuild

* Sun May 26 2002 Tim Powers <timp@redhat.com>

- automated rebuild

* Tue May 21 2002 Elliot Lee <sopwith@redhat.com> 1.0.13-3

- The package totally broke the backwards compatibility that it was
intended to provide.
  Fixed by setting soname to libpng.so.2, and only tweaking the build
(libpng*.{so,a}) files.
- Use _smp_mflags
- Fix rhconf patch because it was patching a symlink instead of the
actual file.
- Don't provide libpng = {version}, because then the package conflicts
with itself

* Thu May 09 2002 Jeremy Katz <katzj@redhat.com> 1.0.13-2

- rebuild

* Thu May 02 2002 Havoc Pennington <hp@redhat.com> 1.0.13-1

- upgrade to 1.0.13, plus patch tarball from libpng web site
- update rhconf patch to work with new makefiles

* Mon Mar 04 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.0.12-6

- Revert fix for #59988 as it introduces a worse problem, #60410

* Tue Feb 26 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.0.12-5

- Conflict with libpng < 1.2.0 (#59988)

* Wed Jan 30 2002 Bill Nottingham <notting@redhat.com> 1.0.12-4

- provide libpng = %{version}, libpng-devel = %{version}

* Wed Jan 09 2002 Tim Powers <timp@redhat.com>

- automated rebuild

* Fri Jan 04 2002 Bill Nottingham <notting@redhat.com> 1.0.12-2

- add devel stuff (we may change this around later)

* Wed Sep 19 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.0.12-1

- initial compat package


---------------------------------------------------------------------
This update can be downloaded from:
    

748a5bae718537c066affeab55f8cd13  SRPMS/libpng10-1.0.15-7.src.rpm
2a700f1c32460cd298338eb9ea8eff2f  x86_64/libpng10-1.0.15-7.x86_64.rpm
6fd56ffb02374f63a6babfce021bf726 
x86_64/libpng10-devel-1.0.15-7.x86_64.rpm
b7413234354a1bb0b0f450a55501ecf3 
x86_64/debug/libpng10-debuginfo-1.0.15-7.x86_64.rpm
76795623a70bc6724f03205acce15e63  i386/libpng10-1.0.15-7.i386.rpm
4cbe2c20bb6738d3f1a7674a413218ca  i386/libpng10-devel-1.0.15-7.i386.rpm
bfbb7f83ca69dac0aa25345ca74ad4b7 
i386/debug/libpng10-debuginfo-1.0.15-7.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.

Fedora: 2,1: libpng10 Multiple vulnerabilities

August 11, 2004
Multiple libpng vulnerabilities are backpatched to the old 1.0.x libpng libraries.

Summary

The libpng10 package contains an old version of libpng, a library of

functions for creating and manipulating PNG (Portable Network Graphics)

image format files.

This package is needed if you want to run binaries that were linked

dynamically

with libpng 1.0.x.

The libpng10 package contains an old version of libpng, a library of

functions for creating and manipulating PNG (Portable Network Graphics)

image format files.

This package is needed if you want to run binaries that were linked

dynamically with libpng 1.0.x.

Update Information:

The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files.

During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0597 to these issues.

In addition, this audit discovered a potential NULL pointer dereference in libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim.

Red Hat would like to thank Chris Evans for discovering these issues.

* Fri Jul 23 2004 Matthias Clasen <mclasen@redhat.com> 1.0.15-8

- Build fo...

Read the Full Advisory

Change Log

References

CORE 2: Fedora Update Notification FEDORA-2004-238 2004-08-04 Product : Fedora Core 2 Name : libpng10 Version : 1.0.15 Release : 8 Summary : Old version of libpng, needed to run old binaries. Description : The libpng10 package contains an old version of libpng, a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. This package is needed if you want to run binaries that were linked dynamically with libpng 1.0.x.

Update Instructions

Severity
Product : Fedora Core 2
Name : libpng10
Version : 1.0.15
Release : 8
Summary : Old version of libpng, needed to run old binaries.
Product : Fedora Core 1
Name : libpng10
Version : 1.0.15
Release : 7
Summary : Old version of libpng, needed to run old binaries.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved