Debians sikkerhedsbulletin
DSA-536-1 libpng -- flere sårbarheder
- Rapporteret den:
- 4. aug 2004
- Berørte pakker:
- libpng
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2004-0597, CVE-2004-0598, CVE-2004-0599, CVE-2004-0768.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#388984, VU#817368, VU#236656, VU#160448, VU#286464, VU#477512. - Yderligere oplysninger:
-
Chris Evans har opdaget flere sårbarheder i libpng:
- CAN-2004-0597
Der er flere bufferoverløb, blandt andre ved håndtering af "transparency chunk data", der kunne udnyttes til at forårsage at vilkårlig kode blev udført når et særligt fremstillet PNG-billede blev behandlet.
- CAN-2004-0598
Flere NULL-pointerreferencer i png_handle_iCPP() og andre steder kunne udnyttes til at få et program til at gå ned, når et særligt fremstillet PNG-billede blev behandlet.
- CAN-2004-0599
Flere heltalsoverløbs i funktionerne png_handle_sPLT(), png_read_png() og andre steder kunne udnyttes til at få et program til at gå ned, eller potentielt udførelse af vilkårlig kode, når et særligt fremstillet blillede blev behandlet.
Desuden er en fejl med relation til CAN-2002-1363 blevet rettet:
- CAN-2004-0768
Et bufferoverløb kunne udløses på grund af en ukorrekt beregning eller bufferoffset, muligvis medførende udførelse af vilkårlig kode.
I den nuværende stabile distribution (woody), er disse problemer rettet i libpng3 version 1.2.1-1.1.woody.7 og i libpng version 1.0.12-3.woody.7.
I den ustabile distribution (sid), vil disse problemer snart blive rettet.
Vi anbefaler at du opdaterer dine libpng and libpng3-pakker.
- CAN-2004-0597
- Rettet i:
-
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.7.dsc
- http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.7.diff.gz
- http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12.orig.tar.gz
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7.dsc
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7.diff.gz
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.7.diff.gz
- ARM:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_arm.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_arm.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_arm.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_arm.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_i386.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_i386.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_i386.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_i386.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_ia64.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_ia64.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_ia64.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_ia64.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_hppa.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_hppa.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_hppa.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_hppa.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_m68k.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_m68k.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_m68k.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_m68k.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_mips.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_mips.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_mips.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_mips.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_mipsel.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_mipsel.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_mipsel.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_mipsel.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_powerpc.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_powerpc.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_powerpc.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_powerpc.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_s390.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_s390.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_s390.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_s390.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_sparc.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_sparc.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_sparc.deb
- http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_sparc.deb
- http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.