Bug#587670: marked as done (libpng: CVE-2010-1205 and CVE-2010-2249)

Wed, 30 Jun 2010 17:15:25 -0700 

Your message dated Thu, 1 Jul 2010 00:11:06 +0000
with message-id <[email protected]>
and subject line Re: Bug#587670: libpng: CVE-2010-1205 and CVE-2010-2249
has caused the Debian Bug report #587670,
regarding libpng: CVE-2010-1205 and CVE-2010-2249
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
587670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587670
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: libpng
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libpng.

Upstream's announcement:
> Several versions of libpng through 1.4.2 (and through 1.2.43 in the older
> series) contain a bug whereby progressive applications such as web
> browsers (or the rpng2 demo app included in libpng) could receive an extra
> row of image data beyond the height reported in the header, potentially
> leading to an out-of-bounds write to memory (depending on how the
> application is written) and the possibility of execution of an attacker's
> code with the privileges of the libpng user.

For which CVE-2010-1205 was assigned.

>  An additional memory-leak bug, involving images with malformed sCAL
>  chunks, is also present; it could lead to an application crash (denial of
>  service) when viewing such images.

CVE-2010-2249

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry. If possible, please provide packages for 
stable (to be released via the security archive.)
Thanks!

For further information see:
http://www.libpng.org/pub/png/libpng.html
https://bugzilla.redhat.com/CVE-2010-2249

Could you also please investigate the following and tell us what your plans 
are regarding it?
https://bugzilla.redhat.com/show_bug.cgi?id=608644#c10

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 26 Jun 2010 13:32:43 +1000
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source all amd64
Version: 1.2.44-1
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Anibal Monsalve Salazar <[email protected]>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Changes: 
 libpng (1.2.44-1) unstable; urgency=low
 .
   * New upstream release
     Stop memory leak when reading a malformed sCAL chunk
Checksums-Sha1: 
 b3c5769879185c9dd6120a7ef2e90d79c4fec5b0 1823 libpng_1.2.44-1.dsc
 07bd9d67c6e6076416a951451e1b05c2660e9d0d 657967 libpng_1.2.44.orig.tar.bz2
 a6599b2febfd219004e10398134d914be1a43366 15031 libpng_1.2.44-1.debian.tar.bz2
 7e70eab3d0434bdd3e5ebf09ea44c94006c3b6d9 874 libpng3_1.2.44-1_all.deb
 45889fb2b2f47404f33b428138c61886d1cc06fd 180278 libpng12-0_1.2.44-1_amd64.deb
 bd1cd181d479de5cdc1312ee229eb89f2aa25b4c 271442 libpng12-dev_1.2.44-1_amd64.deb
 19fee674d6547417d87d0f91cb9bd3ff16311c87 73540 
libpng12-0-udeb_1.2.44-1_amd64.udeb
Checksums-Sha256: 
 7725417355e0ac981dc75335bc92fc029062cef290635099c43efce378a80170 1823 
libpng_1.2.44-1.dsc
 b9ab20f1c2c3bf6c4448fd9bd8a4a8905b918114d5fada56c97bb758a17b7215 657967 
libpng_1.2.44.orig.tar.bz2
 d02303d8bbf26374418dd82d41a9b90d2fd62e92384bbeef00409d32aec1cf12 15031 
libpng_1.2.44-1.debian.tar.bz2
 8edf00871531d3c8b666f689387ced75b989588c0fe53a352eb7cca0315822a2 874 
libpng3_1.2.44-1_all.deb
 be7846ce568dc5c56fc89bf795b0a7e6b803fed811bf4f8b728f44478c5d8906 180278 
libpng12-0_1.2.44-1_amd64.deb
 47db6a111923a60bc3fc7d29a2358b02e4a6c717a9a7d7acb0aa3e7b22b9fa48 271442 
libpng12-dev_1.2.44-1_amd64.deb
 4fe4d820caaf50fcec04eb1863bf0b69ea116f811a837184cfb321a8717fd862 73540 
libpng12-0-udeb_1.2.44-1_amd64.udeb
Files: 
 0b18253ae318d989c7411c1eb43ee551 1823 libs optional libpng_1.2.44-1.dsc
 e3ac7879d62ad166a6f0c7441390d12b 657967 libs optional 
libpng_1.2.44.orig.tar.bz2
 94f75fa41b7398e61f691091b14fd9ed 15031 libs optional 
libpng_1.2.44-1.debian.tar.bz2
 232458475bf8ce321346a41a326131e0 874 oldlibs optional libpng3_1.2.44-1_all.deb
 51a65ffd4379a37bbc56b266087f845d 180278 libs optional 
libpng12-0_1.2.44-1_amd64.deb
 97ab2b8baeeef7138b5c9d1e40ed01de 271442 libdevel optional 
libpng12-dev_1.2.44-1_amd64.deb
 607baeafd67c2e26ed9f9590faef38b6 73540 debian-installer extra 
libpng12-0-udeb_1.2.44-1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJMJX2ZAAoJEHxWrP6UeJfYhswP/i5Hq4mih1VDevnXKUP2DWak
1kPfUoaDnfDAJu2FbE+vM8uGoI+QJ+dIoF03yOVSSeLOR+0mdmLDEN4Yu++LWSQl
HmOYhXaj9W26DeTPOHN7929wFEY4V37W75WZkoesJvYVv39dL1DKxVh9m7nFtc7F
xB5miH9ZF6rEdGbzGk451bDzaO2o0DJIjMGQblF9z83A7964JjkSooOXZL9opgrg
qJT2hZotgR9m39cQ647xXlqvNFt+/WxmFgB1OpefalXlbiIHNG3SjuGkO09/fw2z
DYjyBnJLTPrOk99rgZbRW3OW3eyiucVmUgIghFX6WOarLZYA8rRSa7S/2dKwBJ3X
tGDvID74DIV/BlycSATICRrsYkyWnvDEvHzSf35O8WJbFqmpv8/5pK6kLHcNFnVI
Vhkw6aT+UAemVwn4Z9R3N3sfEtbn3FxgkDM6o6MLhB490EBLyYoIk/9NUK8nmRaL
qKpwrfNkQeTqGJPocVM8VBa44Wu2GoiG9X4jYJEzm64bOuhtGyQ79L+Qs5PNu2B8
tMF30g0BmOBx+7z1kEw0bU1j/bAvWAS1S5MqQDK5t/SdvIWRereHOiZ4LT0Hk/q2
Z7gruFUii/5etrH4L/6UnvKOBmbaB2BHY83jLSvCYkGSD4dF3AVRYL/Q3u+ZonQI
jS5HCWiUTnBIazvbSjk2
=b23/
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to