Date: Tue, 12 Nov 2002 13:45:18 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2002-042.0] Linux: libpng progressive image loading vulnerabilities and other buffer overflows
--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: [email protected][email protected][email protected][email protected]
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: libpng progressive image loading vulnerabilities and other buffer overflows
Advisory number: CSSA-2002-042.0
Issue date: 2002 November 12
Cross reference:
______________________________________________________________________________
1. Problem Description
There are two buffer overflow vulnerabilities in the libpng code:
one of which can allow attackers to cause a denial of service,
and the other that can cause a denial of service with the
possibility of executing arbitrary code.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to libpng-1.0.15-5MR.i386.rpm
prior to libpng-devel-1.0.15-5MR.i386.rpm
prior to libpng-devel-static-1.0.15-5MR.i386.rpm
OpenLinux 3.1.1 Workstation prior to libpng-1.0.15-5MR.i386.rpm
prior to libpng-devel-1.0.15-5MR.i386.rpm
prior to libpng-devel-static-1.0.15-5MR.i386.rpm
OpenLinux 3.1 Server prior to libpng-1.0.15-5MR.i386.rpm
prior to libpng-devel-1.0.15-5MR.i386.rpm
prior to libpng-devel-static-1.0.15-5MR.i386.rpm
OpenLinux 3.1 Workstation prior to libpng-1.0.15-5MR.i386.rpm
prior to libpng-devel-1.0.15-5MR.i386.rpm
prior to libpng-devel-static-1.0.15-5MR.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-042.0/RPMS
4.2 Packages
93221732f6fcd8d2a06082d68ce460e2 libpng-1.0.15-5MR.i386.rpm
98fb336313cdd6e4b5e0d2e80f0e6de5 libpng-devel-1.0.15-5MR.i386.rpm
c474133b01b1f7f39d65fd017635e109 libpng-devel-static-1.0.15-5MR.i386.rpm
4.3 Installation
rpm -Fvh libpng-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-042.0/SRPMS
4.5 Source Packages
512eda0dec68d56065b515ecd540f585 libpng-1.0.15-5MR.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-042.0/RPMS
5.2 Packages
f92a046d343a7f174b4912e3be8e6e5b libpng-1.0.15-5MR.i386.rpm
0106b36eb2d7d6469f04e43b2752ebfa libpng-devel-1.0.15-5MR.i386.rpm
b036341f4c3db77dd44c071aa863781c libpng-devel-static-1.0.15-5MR.i386.rpm
5.3 Installation
rpm -Fvh libpng-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-042.0/SRPMS
5.5 Source Packages
95fa381705ae3d28b971d3f96592ec73 libpng-1.0.15-5MR.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-042.0/RPMS
6.2 Packages
112edf2530cc5df8a1c54f18a26b5b41 libpng-1.0.15-5MR.i386.rpm
8fe1bf881e31e38c34100569b52a5213 libpng-devel-1.0.15-5MR.i386.rpm
411476fc864656d877b43d695f7cc789 libpng-devel-static-1.0.15-5MR.i386.rpm
6.3 Installation
rpm -Fvh libpng-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-042.0/SRPMS
6.5 Source Packages
d8fb9343ec9a91e36fbd0375e478a5a2 libpng-1.0.15-5MR.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-042.0/RPMS
7.2 Packages
450c615089d6ee0af856574111dfb074 libpng-1.0.15-5MR.i386.rpm
e160fd394b9a116fa68e7cdffd8d6dec libpng-devel-1.0.15-5MR.i386.rpm
28543b8410403f28a1dc8949cf82eb2f libpng-devel-static-1.0.15-5MR.i386.rpm
7.3 Installation
rpm -Fvh libpng-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-042.0/SRPMS
7.5 Source Packages
29579bd08c919cd5de11acbc11026e21 libpng-1.0.15-5MR.src.rpm
8. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0728http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0660ftp://swrinde.nde.swri.edu/pub/png-group/archives/png-list.200207
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr867868, fz525853,
erg712105.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
______________________________________________________________________________
--bg08WKrSYDhXBjb5
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3Rdm4ACgkQbluZssSXDTE8PgCg3jNpNrngH3IsaoCE0JypBzzU
Z7sAoJlN4LR/28iX0cwU9v3uko2DBlZd
=YPhK
-----END PGP SIGNATURE-----
--bg08WKrSYDhXBjb5--