Dva nedostatka programske biblioteke libpng

Uočena su i ispravljena dva sigurnosna nedostatka biblioteke libpng koji omogućuju zlonamjernim napadačima pokretanje napada uskraćivanja usluga.

Paket:	libpng 1.x
Operacijski sustavi:	Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux 9.1, Slackware Linux 10.0, Slackware Linux 10.1, Slackware Linux 10.2, Slackware Linux 11.0, Slackware Linux 12.0, Slackware Linux 12.1, Slackware Linux 12.2, Slackware Linux 13.0, Slackware Linux 13.1, Slackware Linux 13.37
Kritičnost:	5
Problem:	neodgovarajuća provjera ulaznih podataka, neodgovarajuće rukovanje datotekama
Iskorištavanje:	udaljeno
Posljedica:	uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2004-0421, CVE-2011-0421
Izvorni ID preporuke:	SSA:2011-210-01
Izvor:	Slackware

Problem:
Oba sigurnosna propusta posljedica su neadekvatne provjere ulaznih datoteka. Jedan propust vezan je uz neadekvatno rukovanje PNG datotekom, a drugi uz neadekvatno rukovanje ZIP datotekom te ulaznim atributima vezanim uz nju.
Posljedica:
Uspješnim iskorištavanjem oba propusta, kontekstno ovisni, udaljeni napadač može pokrenuti napad uskraćivanja usluga.
Rješenje:
Kao rješenje problema savjetuje se korištenje najnovije inačice biblioteke.

Izvorni tekst preporuke

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  libpng (SSA:2011-210-01)

New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current
to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/libpng-1.4.8-i486-1_slack13.37.txz:  Upgraded.
  Fixed uninitialized memory read in png_format_buffer()
  (Bug report by Frank Busse, related to CVE-2004-0421).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/libpng-1.2.46-i386-1_slack8.1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libpng-1.2.46-i386-1_slack9.0.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libpng-1.2.46-i486-1_slack9.1.tgz

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/libpng-1.2.46-i486-1_slack10.0.tgz

Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/libpng-1.2.46-i486-1_slack10.1.tgz

Updated package for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/libpng-1.2.46-i486-1_slack10.2.tgz

Updated package for Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/libpng-1.2.46-i486-1_slack11.0.tgz

Updated package for Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/libpng-1.2.46-i486-1_slack12.0.tgz

Updated package for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/libpng-1.2.46-i486-1_slack12.1.tgz

Updated package for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/libpng-1.2.46-i486-1_slack12.2.tgz

Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libpng-1.2.46-i486-1_slack13.0.txz

Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libpng-1.2.46-x86_64-1_slack13.0.txz

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libpng-1.4.8-i486-1_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libpng-1.4.8-x86_64-1_slack13.1.txz

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libpng-1.4.8-i486-1_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libpng-1.4.8-x86_64-1_slack13.37.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libpng-1.4.8-i486-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libpng-1.4.8-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 8.1 package:
ad0f8dc2b0b9269c342a0d61bd007c5e  libpng-1.2.46-i386-1_slack8.1.tgz

Slackware 9.0 package:
365bea389c02fdc3b920b36b1f5f5a4d  libpng-1.2.46-i386-1_slack9.0.tgz

Slackware 9.1 package:
b96cf4fb882decd82bba233b615df3ba  libpng-1.2.46-i486-1_slack9.1.tgz

Slackware 10.0 package:
64b11f971f7379ed0af5dc766daf2dd4  libpng-1.2.46-i486-1_slack10.0.tgz

Slackware 10.1 package:
13927173b5ecc4a33a0290363e4e53cd  libpng-1.2.46-i486-1_slack10.1.tgz

Slackware 10.2 package:
b32cb1ee9694579a42e47128323b0412  libpng-1.2.46-i486-1_slack10.2.tgz

Slackware 11.0 package:
bc0efc812d8b1a52bb5c480a5b2f9200  libpng-1.2.46-i486-1_slack11.0.tgz

Slackware 12.0 package:
c4fb87f7ecf7aebcd380765d25d0f751  libpng-1.2.46-i486-1_slack12.0.tgz

Slackware 12.1 package:
8f1d8ec6a325c95725b3740dbd41c311  libpng-1.2.46-i486-1_slack12.1.tgz

Slackware 12.2 package:
c846762291145276057dad5c58bb2f89  libpng-1.2.46-i486-1_slack12.2.tgz

Slackware 13.0 package:
e0bc86aa7eeed92f8f8734efa0b54483  libpng-1.2.46-i486-1_slack13.0.txz

Slackware x86_64 13.0 package:
3d2a8eb7474420519c947f666635ece8  libpng-1.2.46-x86_64-1_slack13.0.txz

Slackware 13.1 package:
406d411805cf2f99c567c97f53bce69b  libpng-1.4.8-i486-1_slack13.1.txz

Slackware x86_64 13.1 package:
972fb84c00c4a0d7ab9134f6e65c657f  libpng-1.4.8-x86_64-1_slack13.1.txz

Slackware 13.37 package:
a323c2d1ff04054ec8423710200c7682  libpng-1.4.8-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
a56d0776e600625505cc12e6853c50cc  libpng-1.4.8-x86_64-1_slack13.37.txz

Slackware -current package:
ebf0f61c96738b840afa104e6ed3a71f  libpng-1.4.8-i486-1.txz

Slackware x86_64 -current package:
c3ea775b59fde83c9e65a1d9648945c9  libpng-1.4.8-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg libpng-1.4.8-i486-1_slack13.37.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite. with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4zP5QACgkQakRjwEAQIjPfegCbBnFw1QdOai4sesIY28bPFLYb
H7QAn3NXN3LynFA2nYNYy1mqFO01spcD
=tOZ9
-----END PGP SIGNATURE-----

Dva nedostatka programske biblioteke libpng

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Dva nedostatka programske biblioteke libpng

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti