Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
External Bug ID| |Gentoo 272970
--- Comment #1 from Tomas Hoger <thoger(a)redhat.com> 2009-06-09 08:43:02 EDT ---
Upstream page -
http://www.libpng.org/pub/png/libpng.html - contains a rather
confusing vulnerability warning:
Vulnerability Warning
Jeff Phillips reported that several versions of libpng through 1.2.35
contain an uninitialized-memory-read bug that may have security
implications. Specifically, 1-bit (2-color) interlaced images whose
widths are not divisible by 8 may result in several uninitialized bits
at the end of certain rows in certain interlace passes being returned
to the user. An application that failed to mask these out-of-bounds
pixels might display or process them, albeit presumably with benign
results in most cases. This bug may be fixed in version 1.2.36,
released 7 May 2009, but the correct fix is in version 1.2.37,
released 4 June 2009.
Going though 1.2.35 -> 1.2.36 and 1.2.36 -> 1.2.37 diffs, this probably refers
to the following changes:
Changes in 1.2.36:
+version 1.2.36beta02 [March 21, 2009]
+ Use png_memset() after png_malloc() of big_row_buf when reading an
+ interlaced file, to avoid a possible UMR.
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=...
Changes in 1.2.37:
+version 1.2.37beta01 [May 12, 2009]
+ Fixed inconsistency in pngrutil.c, introduced in libpng-1.2.36. The
+ memset() was using "png_ptr->rowbytes" instead of
"row_bytes", which
+ the corresponding png_malloc() uses (Joe Drew).
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=...
--
Configure bugmail:
https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.