Package: libpng Severity: grave Version: 1.2.8rel-7 Tags: security At http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 it reads:
Name: CVE-2006-3334 (under review) Status: Candidate Description: Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name". At http://www.libpng.org/pub/png/libpng.html it reads: Versions up through 1.2.11 and 1.0.19 have a buffer-overrun vulnerability when a particular error message is triggered. The overrun is always by exactly two bytes ('k' and NULL) so it seems highly unlikely that it could be used for anything more nefarious than denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). Nevertheless, it's worth fixing, and versions libpng 1.2.12 and libpng 1.0.20, released 27 June 2006, do just that. (Note that 1.2.11 and 1.0.19 erroneously claimed to include the fix, but in fact it had been inadvertently omitted.) The same releases (and their immediate predecessors) also fix an out-of-bounds (by one) memory read and a second buffer overrun, this one in the code that writes the sCAL chunk (which is rather rare in any case). Aníbal Monsalve Salazar -- http://v7w.com/anibal
signature.asc
Description: Digital signature
