[security-announce] libpng: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Feb 24 15:20:10 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: libpng-1.6.8
Severity: Important
Issue date: 2015-02-24
CVE Names: CVE-2015-0973 (duplicate of CVE-2014-9495)
Layer: meta
=========================================================

A security patch that fixes a heap-based overflow vulnerability
in the png_combine_row() function of the libpng library, when
very large interlaced images were used, is now available at
http://linux.enea.com/4.0/patches:

README file: 0045-libpng16-CVE-2015-0973.patch
Patch file: 0045-libpng16-CVE-2015-0973.patch

Description
===========
Buffer overflow in the png_read_IDAT_data function in pngrutil.c in
libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent
attackers to execute arbitrary code via IDAT data with a large width.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0973
http://seclists.org/oss-sec/2014/q4/1133

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
wget http://linux.enea.com/4.0/patches/0045-libpng16-CVE-2015-0973.patch
patch -p1 < ./0045-libpng16-CVE-2015-0973.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU7IiaAAoJEHc+9u9ocWoUjaMQAKaCByjYsvYEfJHmOXgr0wrI
TQbL3KvwY5UK/Fe6fNBciUmfJa3fHeW9PLN2vJ8A+3hpzKiWb4TbyZZk3cneT53G
rtnQqJ3hvU/nppWXtFJlWNUiU3xDSPp/OyZAXeJAlYUoXK1AgWj1xAHLsGRVjPM9
TRjE98G/BZKz2zhedHX6dzNRZqpUtEZcp2qdVSPkWCqFPkzXnqj3YNxsVysrnlkr
y1kvy5gTYUPxc64xL4wlRZ4VGM6h8O1/JI4uCnPfeDpF6O9v0idy0LDfoOJJiewY
ZjbqU5xdGz3ua2RpO12aR9smGXjOne3wWwOehVxOPCF6XcmXQWLp72NJuN/jrnI3
C2IkGV8xu8/ujh+M9uOoh1lKbVKvxZMQ4+SfKv4ZNzEz2Yvdc1xiQHnwCpbMgUR1
oCk4bgFAX2qNDZJyQwgZrsGih3CSqjRcMYliUtxMtu92MEpEkMHF4b7u34Owt1q/
J031HOPaVCWfbhwTzXmpPmIsHbzgJA5a1lBCXRByewb98E3UStmAQDrQaWCytcKA
A+gxX0DremCbiKSy7i3b0C+edV4FniFBe7kLkYzF4X9KRhYjbazpmQaPtztKvYAv
pfAvxbQjs4gj0nijo/oawM05iO+cOGf3tk/x5rR4ehwJLOgBQTU1i65zqSCRkTz+
RG9HuYms+DJscM8Go/b+
=FERD
-----END PGP SIGNATURE-----



More information about the security-announce mailing list