Your message dated Sat, 17 Apr 2010 13:57:22 +0000
with message-id <e1o38wq-0003z3...@ries.debian.org>
and subject line Bug#533676: fixed in libpng 1.2.27-2+lenny3
has caused the Debian Bug report #533676,
regarding libpng: CVE-2009-2042 "out-of-bounds pixels" vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
533676: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533676
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpng
Version: 1.2.15~beta5-1+etch2
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpng.
CVE-2009-2042[0]:
| libpng before 1.2.37 does not properly parse 1-bit interlaced images
| with width values that are not divisible by 8, which causes libpng to
| include uninitialized bits in certain rows of a PNG file and might
| allow remote attackers to read portions of sensitive memory via
| "out-of-bounds pixels" in the file.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
This is already fixed in the version of unstable. Please coordinate
with the security team to prepare updates for the stable releases.
Thank you.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
http://security-tracker.debian.net/tracker/CVE-2009-2042
--- End Message ---
--- Begin Message ---
Source: libpng
Source-Version: 1.2.27-2+lenny3
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:
libpng12-0-udeb_1.2.27-2+lenny3_i386.udeb
to main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny3_i386.udeb
libpng12-0_1.2.27-2+lenny3_i386.deb
to main/libp/libpng/libpng12-0_1.2.27-2+lenny3_i386.deb
libpng12-dev_1.2.27-2+lenny3_i386.deb
to main/libp/libpng/libpng12-dev_1.2.27-2+lenny3_i386.deb
libpng3_1.2.27-2+lenny3_all.deb
to main/libp/libpng/libpng3_1.2.27-2+lenny3_all.deb
libpng_1.2.27-2+lenny3.diff.gz
to main/libp/libpng/libpng_1.2.27-2+lenny3.diff.gz
libpng_1.2.27-2+lenny3.dsc
to main/libp/libpng/libpng_1.2.27-2+lenny3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 533...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 11 Apr 2010 11:40:33 +0200
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source i386 all
Version: 1.2.27-2+lenny3
Distribution: stable-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Closes: 533676 572308
Changes:
libpng (1.2.27-2+lenny3) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-2042: does not properly parse 1-bit interlaced images with
width values that are not divisible by 8, which causes libpng to include
uninitialized bits in certain rows of a PNG file and might allow remote
attackers to read portions of sensitive memory via "out-of-bounds pixels"
in the file (Closes: 533676)
* Fixed CVE-2010-0205: does not properly handle compressed ancillary-chunk
data that has a disproportionately large uncompressed representation, which
allows remote attackers to cause a denial of service (memory and CPU
consumption, and application hang) via a crafted PNG file (Closes:
#572308)
Checksums-Sha1:
ac10acd3f8efd69cc5fbbd7e55203ef0d5e5ae2e 1201 libpng_1.2.27-2+lenny3.dsc
38f09128f75ee5d6aa75862aa4c7421f9e78dbc1 19687 libpng_1.2.27-2+lenny3.diff.gz
cba40031775fa9e1f68dc6f7ec64d2c548b1dfd6 165560
libpng12-0_1.2.27-2+lenny3_i386.deb
2b2799afc21123254c1c4f8cc23a02f685db1dd8 246968
libpng12-dev_1.2.27-2+lenny3_i386.deb
777ae91ecbafa1373426c405131980b728dd41b8 880 libpng3_1.2.27-2+lenny3_all.deb
8ac89dbc40806220dce62850d97af7a5404a4fc1 70094
libpng12-0-udeb_1.2.27-2+lenny3_i386.udeb
Checksums-Sha256:
d6faba268d2e00c73632b5ad3df2da351dcf82966557e5f7e750a5287165b667 1201
libpng_1.2.27-2+lenny3.dsc
4a5a1ad1b9d98914fd7c10fc2a1cf146847acdf44e6e0477fc16d9fd05e3d333 19687
libpng_1.2.27-2+lenny3.diff.gz
832a13f92f0c62199fdf1584be739f0efe3c2365d4dd2f9e62b66ac8a33b48f0 165560
libpng12-0_1.2.27-2+lenny3_i386.deb
fb9e5141f31f0ea50eea9b21ec79065e78604f6a91b32288028ca1a0d07f3b2e 246968
libpng12-dev_1.2.27-2+lenny3_i386.deb
be470a354466cdedd245d4ca652ba94df4564b6f68ff32eef10c5a46d9cb5e93 880
libpng3_1.2.27-2+lenny3_all.deb
4a5430f9ed571b246bf2ebe96c36e1641147fd0909963a4bf494d5b3f49d5cd7 70094
libpng12-0-udeb_1.2.27-2+lenny3_i386.udeb
Files:
abe81b0d3c4aa7a1fa418e29f2c5b297 1201 libs optional libpng_1.2.27-2+lenny3.dsc
60ede1843ceb8a1f127c54b847a74dfa 19687 libs optional
libpng_1.2.27-2+lenny3.diff.gz
233945ee4b1e442357276431ce495a4c 165560 libs optional
libpng12-0_1.2.27-2+lenny3_i386.deb
083d472fd65f884c91dff5926e538342 246968 libdevel optional
libpng12-dev_1.2.27-2+lenny3_i386.deb
028b00e28aad8282714776c5dcca64a8 880 oldlibs optional
libpng3_1.2.27-2+lenny3_all.deb
769336f4574678e56931e1a1eaf6be6a 70094 debian-installer extra
libpng12-0-udeb_1.2.27-2+lenny3_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvBnUUACgkQNxpp46476ao8qgCcCMk58l27EAR9VZ/MIKCHRceo
L3UAnRHFyBHdCWCUV6bBtFZZ7Kl1TaMg
=oDjc
-----END PGP SIGNATURE-----
--- End Message ---
