Hi, I've prepared a NMU to fix CVE-2008-5907 and CVE-2009-0040 in libpng.
Proposed debdiff in attachment. Cheers, Giuseppe.
diff -u libpng-1.2.27/debian/changelog libpng-1.2.27/debian/changelog --- libpng-1.2.27/debian/changelog +++ libpng-1.2.27/debian/changelog @@ -1,3 +1,13 @@ +libpng (1.2.27-2lenny1) stable-security; urgency=high + + * Non-maintainer upload. + * debian/patches/03-CVE-2008-5907.diff: update pngwutil.c to properly set + new_key to NULL string. (CVE-2008-5907) (Closes: #512665) + * debian/patches/04-CVE-2009-0040.diff: initialize pointers in pngread.c, + pngrtans.c, pngset.c and example.c (CVE-2009-0040) (Closes: #516256) + + -- Giuseppe Iuculano <giuse...@iuculano.it> Sat, 14 Mar 2009 21:31:31 +0100 + libpng (1.2.27-2) unstable; urgency=medium * Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109 diff -u libpng-1.2.27/debian/patches/series libpng-1.2.27/debian/patches/series --- libpng-1.2.27/debian/patches/series +++ libpng-1.2.27/debian/patches/series @@ -2,0 +3,2 @@ +03-CVE-2008-5907.diff +04-CVE-2009-0040.diff only in patch2: unchanged: --- libpng-1.2.27.orig/debian/patches/03-CVE-2008-5907.diff +++ libpng-1.2.27/debian/patches/03-CVE-2008-5907.diff @@ -0,0 +1,12 @@ +fix for CVE-2008-5907 #512665 +--- a/pngwutil.c ++++ b/pngwutil.c +@@ -1324,7 +1324,7 @@ png_check_keyword(png_structp png_ptr, p + if (key_len > 79) + { + png_warning(png_ptr, "keyword length must be 1 - 79 characters"); +- new_key[79] = '\0'; ++ (*new_key[79]) = '\0'; + key_len = 79; + } + only in patch2: unchanged: --- libpng-1.2.27.orig/debian/patches/04-CVE-2009-0040.diff +++ libpng-1.2.27/debian/patches/04-CVE-2009-0040.diff @@ -0,0 +1,91 @@ +fix for CVE-2009-0040 #516256 +--- a/example.c ++++ b/example.c +@@ -342,6 +342,10 @@ void read_png(FILE *fp, unsigned int sig + /* The easiest way to read the image: */ + png_bytep row_pointers[height]; + ++ /* Clear the pointer array */ ++ for (row = 0; row < height; row++) ++ row_pointers[row] = NULL; ++ + for (row = 0; row < height; row++) + { + row_pointers[row] = png_malloc(png_ptr, png_get_rowbytes(png_ptr, +--- a/pngread.c ++++ b/pngread.c +@@ -1457,6 +1457,8 @@ png_read_png(png_structp png_ptr, png_in + #ifdef PNG_FREE_ME_SUPPORTED + info_ptr->free_me |= PNG_FREE_ROWS; + #endif ++ png_memset(info_ptr->row_pointers, 0, info_ptr->height ++ * png_sizeof(png_bytep)); + for (row = 0; row < (int)info_ptr->height; row++) + { + info_ptr->row_pointers[row] = (png_bytep)png_malloc(png_ptr, +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -309,9 +309,7 @@ png_set_dither(png_structp png_ptr, png_ + + hash = (png_dsortpp)png_malloc(png_ptr, (png_uint_32)(769 * + png_sizeof (png_dsortp))); +- for (i = 0; i < 769; i++) +- hash[i] = NULL; +-/* png_memset(hash, 0, 769 * png_sizeof (png_dsortp)); */ ++ png_memset(hash, 0, 769 * png_sizeof(png_dsortp)); + + num_new_palette = num_palette; + +@@ -4124,6 +4122,8 @@ png_build_gamma_table(png_structp png_pt + png_ptr->gamma_16_table = (png_uint_16pp)png_malloc(png_ptr, + (png_uint_32)(num * png_sizeof (png_uint_16p))); + ++ png_memset(png_ptr->gamma_16_table, 0, num * png_sizeof(png_uint_16p)); ++ + if (png_ptr->transformations & (PNG_16_TO_8 | PNG_BACKGROUND)) + { + double fin, fout; +@@ -4184,6 +4184,8 @@ png_build_gamma_table(png_structp png_pt + png_ptr->gamma_16_to_1 = (png_uint_16pp)png_malloc(png_ptr, + (png_uint_32)(num * png_sizeof (png_uint_16p ))); + ++ png_memset(png_ptr->gamma_16_to_1, 0, num * png_sizeof(png_uint_16p)); ++ + for (i = 0; i < num; i++) + { + png_ptr->gamma_16_to_1[i] = (png_uint_16p)png_malloc(png_ptr, +@@ -4207,6 +4209,9 @@ png_build_gamma_table(png_structp png_pt + png_ptr->gamma_16_from_1 = (png_uint_16pp)png_malloc(png_ptr, + (png_uint_32)(num * png_sizeof (png_uint_16p))); + ++ png_memset(png_ptr->gamma_16_from_1, 0, ++ num * png_sizeof(png_uint_16p)); ++ + for (i = 0; i < num; i++) + { + png_ptr->gamma_16_from_1[i] = (png_uint_16p)png_malloc(png_ptr, +--- a/pngset.c ++++ b/pngset.c +@@ -429,7 +429,11 @@ png_set_pCAL(png_structp png_ptr, png_in + return; + } + +- info_ptr->pcal_params[nparams] = NULL; ++#ifdef PNG_FREE_ME_SUPPORTED ++ info_ptr->free_me |= PNG_FREE_PCAL; ++#endif ++ ++ png_memset(info_ptr->pcal_params, 0, (nparams + 1) * png_sizeof(png_charp)); + + for (i = 0; i < nparams; i++) + { +@@ -445,9 +449,6 @@ png_set_pCAL(png_structp png_ptr, png_in + } + + info_ptr->valid |= PNG_INFO_pCAL; +-#ifdef PNG_FREE_ME_SUPPORTED +- info_ptr->free_me |= PNG_FREE_PCAL; +-#endif + } + #endif +
signature.asc
Description: OpenPGP digital signature