U radu programskog paketa libpng otkrivena je sigurnosna ranjivost. Napadač može iskoristiti propust za rušenje aplikacije koja koristi navedeni paket ili pokretanje proizvoljnog programskog koda.
Propust, preljev spremnika na gomili, se javlja se pri obradi komprimiranih dijelova PNG datoteka.
Posljedica:
Zlonamjerni korisnik bi mogao, ukoliko podmetne posebno oblikovanu PNG slikovnu datoteku, pokrenuti proizvoljan programski kod s ovlastima korisnika koji je pokrenuo program ili izazvati stanje uskraćivanja usluge rušenjem aplikacije.
Rješenje:
Svim se korisnicima savjetuje nadogradnja na najnoviju inačicu.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:033
http://www.mandriva.com/security/
_______________________________________________________________________
Package : libpng
Date : March 21, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in libpng:
A heap-based buffer overflow flaw was found in the way libpng
processed compressed chunks in PNG image files. An attacker could
create a specially-crafted PNG image file that, when opened, could
cause an application using libpng to crash or, possibly, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-3045).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045
https://bugzilla.redhat.com/show_bug.cgi?id=799000
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
8ce1692699d6340c722609687b3c1d43
2010.1/i586/libpng3-1.2.43-1.4mdv2010.2.i586.rpm
efde5d68e7a3689383583673a41837b4
2010.1/i586/libpng-devel-1.2.43-1.4mdv2010.2.i586.rpm
3b49b9d4300101a2ad6d4dbe76ea3951
2010.1/i586/libpng-source-1.2.43-1.4mdv2010.2.i586.rpm
a3dc5c7022ca1efdcd50c7a1b30e098f
2010.1/i586/libpng-static-devel-1.2.43-1.4mdv2010.2.i586.rpm
22b3f3635669c5380e721b6040e1e793
2010.1/SRPMS/libpng-1.2.43-1.4mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
4dd51c05e94490929f61988410c5b639
2010.1/x86_64/lib64png3-1.2.43-1.4mdv2010.2.x86_64.rpm
f5724667312bb3c83c2525c32890490c
2010.1/x86_64/lib64png-devel-1.2.43-1.4mdv2010.2.x86_64.rpm
0dd3ec66bbc8205965d63bdafa794741
2010.1/x86_64/lib64png-static-devel-1.2.43-1.4mdv2010.2.x86_64.rpm
bc35032a8bc5b584b354ba35e8b2a177
2010.1/x86_64/libpng-source-1.2.43-1.4mdv2010.2.x86_64.rpm
22b3f3635669c5380e721b6040e1e793
2010.1/SRPMS/libpng-1.2.43-1.4mdv2010.2.src.rpm
Mandriva Linux 2011:
ff171bb221ac51862059bb56f17af8c1
2011/i586/libpng3-1.2.46-1.2-mdv2011.0.i586.rpm
eb5a2bb97aff9550a74688a4561ee318
2011/i586/libpng-devel-1.2.46-1.2-mdv2011.0.i586.rpm
941755ad12b007dab7228ff811215ae1
2011/i586/libpng-source-1.2.46-1.2-mdv2011.0.i586.rpm
8f66b00517da98d71c4415a103b964b2
2011/i586/libpng-static-devel-1.2.46-1.2-mdv2011.0.i586.rpm
4c1d2893ef6ebe27cd7b64344d40a1a1 2011/SRPMS/libpng-1.2.46-1.2.src.rpm
Mandriva Linux 2011/X86_64:
6216d1abe8dbb599584ba3cd4ad602bf
2011/x86_64/lib64png3-1.2.46-1.2-mdv2011.0.x86_64.rpm
22cddc6d3e4c24f5c1aae64161935dc1
2011/x86_64/lib64png-devel-1.2.46-1.2-mdv2011.0.x86_64.rpm
631967367a20801088b59460b19efe8b
2011/x86_64/lib64png-static-devel-1.2.46-1.2-mdv2011.0.x86_64.rpm
0d7fe6c6bebe813a817a20b0257a74cc
2011/x86_64/libpng-source-1.2.46-1.2-mdv2011.0.x86_64.rpm
4c1d2893ef6ebe27cd7b64344d40a1a1 2011/SRPMS/libpng-1.2.46-1.2.src.rpm
Mandriva Enterprise Server 5:
07faa832f20210363428303e08ef79a3
mes5/i586/libpng3-1.2.31-2.6mdvmes5.2.i586.rpm
3e6864bd079b3660a51ce0349f20b4d4
mes5/i586/libpng-devel-1.2.31-2.6mdvmes5.2.i586.rpm
a35695f0cf2a116934af8fe7b3f79136
mes5/i586/libpng-source-1.2.31-2.6mdvmes5.2.i586.rpm
c2c93688dee244bd34767e357a9f21c0
mes5/i586/libpng-static-devel-1.2.31-2.6mdvmes5.2.i586.rpm
91d76d5d157fe37b484346fd9cbe3193
mes5/SRPMS/libpng-1.2.31-2.6mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
05b845a052ed531a89be93bbf742a037
mes5/x86_64/lib64png3-1.2.31-2.6mdvmes5.2.x86_64.rpm
10c36ffcc0ea0f7aadf912be3c5e8edb
mes5/x86_64/lib64png-devel-1.2.31-2.6mdvmes5.2.x86_64.rpm
5fe9bc6baf91438cc6a0e14523b22545
mes5/x86_64/lib64png-static-devel-1.2.31-2.6mdvmes5.2.x86_64.rpm
f732953c75a16a6d30cc7da2908243ac
mes5/x86_64/libpng-source-1.2.31-2.6mdvmes5.2.x86_64.rpm
91d76d5d157fe37b484346fd9cbe3193
mes5/SRPMS/libpng-1.2.31-2.6mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPaZUrmqjQ0CJFipgRAgjKAKCuGQdcC5nyUTAG9f7oaRRMb6MeEACgwf5X
Ur+HxINMhHNeDXbkT7YrVEU=
=RxHV
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke