[SECURITY] [DSA 498-1] New libpng packages fix denial of service
Date: Fri, 30 Apr 2004 12:31:34 +0200 (CEST)
From: (Martin Schulze) <[email protected]>
To: [email protected]
Subject: [SECURITY] [DSA 498-1] New libpng packages fix denial of service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 498-1 [email protected]
http://www.debian.org/security/ Martin Schulze
April 30th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : libpng, libpng3
Vulnerability : out of bound access
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0421
Steve Grubb discovered a problem in the Portable Network Graphics
library libpng which is utilised in several applications. When
processing a broken PNG image, the error handling routine will access
memory that is out of bounds when creating an error message.
Depending on machine architecture, bounds checking and other
protective measures, this problem could cause the program to crash if
a defective or intentionally prepared PNG image file is handled by
libpng.
This could be used as a denial of service attack against various
programs that link against this library. The following commands will
show you which packages utilise this library and whose programs should
probably restarted after an upgrade:
apt-cache showpkg libpng2
apt-cache showpkg libpng3
The following security matrix explains which package versions will
contain a correction.
Package stable (woody) unstable (sid)
libpng 1.0.12-3.woody.5 1.0.15-5
libpng3 1.2.1-1.1.woody.5 1.2.5.0-6
We recommend that you upgrade your libpng and related packages.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.5.dsc
Size/MD5 checksum: 579 bb372469c10598bdab815584a793012e
http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.5.diff.gz
Size/MD5 checksum: 8544 eb859ba53f11527e17f9ee6f841dea51
http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12.orig.tar.gz
Size/MD5 checksum: 481387 3329b745968e41f6f9e55a4d04a4964c
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5.dsc
Size/MD5 checksum: 582 474b8919fcd3913c2c0e269a4341cacb
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5.diff.gz
Size/MD5 checksum: 8948 ec0d3a12f3fff3b54e0473832e8b4264
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1.orig.tar.gz
Size/MD5 checksum: 493105 75a21cbfae566158a0ac6d9f39087c4d
Alpha architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_alpha.deb
Size/MD5 checksum: 129804 ba59e28e96642d247c49dec5b490df90
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_alpha.deb
Size/MD5 checksum: 270048 5a0c90a374ec854b5245db92c64e18c0
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_alpha.deb
Size/MD5 checksum: 276140 2a1277e1e48c0b04c09d1d6907458bb6
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_alpha.deb
Size/MD5 checksum: 133120 e5aae07a6504392c3af924f0516594a5
ARM architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_arm.deb
Size/MD5 checksum: 108432 ccde2f056e0573decab54dc9b5863a03
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_arm.deb
Size/MD5 checksum: 241164 37f7b9a7e70f8ada93ef4144f3a7b112
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_arm.deb
Size/MD5 checksum: 247362 9a03e85528176935ee656412d1d39f5c
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_arm.deb
Size/MD5 checksum: 111638 61a50fb248af723cd7e7a8359531335f
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_i386.deb
Size/MD5 checksum: 106928 5ebba610b5ea04e708b4b859a421e94d
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_i386.deb
Size/MD5 checksum: 227334 4faf9b8916bbc2def04b0e15f4933c24
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_i386.deb
Size/MD5 checksum: 233082 6a38ed52250de4c76eba02aef5fcb54d
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_i386.deb
Size/MD5 checksum: 110082 4de92f1660f871372e1fad392ef03df0
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_ia64.deb
Size/MD5 checksum: 146464 29a93c7fb358885d31607e68b796d70d
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_ia64.deb
Size/MD5 checksum: 271462 c959b40f0e77635aaf9c24b8be1cf6bf
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_ia64.deb
Size/MD5 checksum: 278608 1e09c2aaf8eeda61581891f6e3ffdaba
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_ia64.deb
Size/MD5 checksum: 151148 ccbd7ac3077ea446070cde5d0717fee8
HP Precision architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_hppa.deb
Size/MD5 checksum: 128434 415d56bb9afd5344b2bfadf70554119b
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_hppa.deb
Size/MD5 checksum: 262252 dc6c82d209413d8200a1828de709f040
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_hppa.deb
Size/MD5 checksum: 269434 e20f5d2fdb4cadea4010c47e6b4ce680
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_hppa.deb
Size/MD5 checksum: 132630 e8ddf5e195465930111de2edafe3a1cb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_m68k.deb
Size/MD5 checksum: 103546 912b49f931e2c46730747da0f9aaf3d4
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_m68k.deb
Size/MD5 checksum: 220492 3b0469efbda0028f53540c636ee3707a
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_m68k.deb
Size/MD5 checksum: 226160 bef7a94af6aef0b3ef3379496e5e6f68
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_m68k.deb
Size/MD5 checksum: 106560 1e5ba78b848a81e90a63b803e75be1de
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_mips.deb
Size/MD5 checksum: 108554 c1e1f090aa49be62d693892b9e6681a1
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_mips.deb
Size/MD5 checksum: 240312 e8e1fcacba1452118884dc3472405ff7
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_mips.deb
Size/MD5 checksum: 246804 4f4cd388a577ff7e9d7b1ea646fdc820
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_mips.deb
Size/MD5 checksum: 111908 cbff4d8f1bc4a8636bc2cdda221a8f4e
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_mipsel.deb
Size/MD5 checksum: 108436 8a0dcd7bd57c59353824b91fedcb3d1a
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_mipsel.deb
Size/MD5 checksum: 240178 204f4660f50b943e111a152a7c7a2c23
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_mipsel.deb
Size/MD5 checksum: 246732 462742addee5f47e8488698bf30c365c
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_mipsel.deb
Size/MD5 checksum: 111836 74db6d7fca696098b1470b93a9490895
PowerPC architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_powerpc.deb
Size/MD5 checksum: 109962 a7fe7934ed97f30e8d7e86f21ffd5f46
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_powerpc.deb
Size/MD5 checksum: 234432 a087736296563bb163fe7167eb157b6e
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_powerpc.deb
Size/MD5 checksum: 240508 7ef271695467ea719eb29fe880300b9d
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_powerpc.deb
Size/MD5 checksum: 113010 4163eb938e5f3b898debc77b700a9174
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_s390.deb
Size/MD5 checksum: 110036 62680709ae57096ef5fe9a7c76da614d
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_s390.deb
Size/MD5 checksum: 229300 f0203f50d15d203ce70dce008e1f671d
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_s390.deb
Size/MD5 checksum: 234926 a0c5bd8af72b5e8acdec0b4b8c286300
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_s390.deb
Size/MD5 checksum: 113080 10c4fdf29f8cd673424341f7d53e4c4f
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.5_sparc.deb
Size/MD5 checksum: 109966 0b5f9a9e01934411c61ccbf5062a136c
http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.5_sparc.deb
Size/MD5 checksum: 231840 2c2a9b0892a2188264bddf54487de82f
http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.5_sparc.deb
Size/MD5 checksum: 237652 913dd15af5d3fb1a5cdb88aeb3cb2715
http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.5_sparc.deb
Size/MD5 checksum: 113390 f55bf3b2794d8f3370fae6ef82362d88
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAkisGW5ql+IAeqTIRAqsaAJ9ovOyIpU9q9DEvXS/Ni/X9DPL6dQCeI1Y6
hFoO20hkBrRLym0DR1u/2yo=
=KGJN
-----END PGP SIGNATURE-----