Debian Security Advisory

DSA-2032-1 libpng -- several vulnerabilities

Date Reported:
11 Apr 2010
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 533676, Bug 572308.
In Mitre's CVE dictionary: CVE-2009-2042, CVE-2010-0205.
More information:

Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2009-2042

    libpng does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file.

  • CVE-2010-0205

    libpng does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file

For the stable distribution (lenny), these problems have been fixed in version 1.2.27-2+lenny3.

For the testing (squeeze) and unstable (sid) distribution, these problems have been fixed in version 1.2.43-1

We recommend that you upgrade your libpng package.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.