[ Thanks to SOT Linux
Security Team for this link. ]
--------------------------------------------------------------------- SOT Linux Security Advisory Subject: Updated libpng package for SOT Linux 2002 Advisory ID: SLSA-2003:3 Date: Sunday, January 12, 2003 Product: SOT Linux 2002 --------------------------------------------------------------------- 1. Problem description Two vulnerabilities were discovered in libpng code: 1: Buffer overflow in the progressive reader for libpng 1.2.x before 1.2.4, and 1.0.x before 1.0.14, allows attackers to cause a denial of service (crash) via a PNG data stream that has more IDAT data than indicated by the IHDR chunk. 2: Buffer overflow in libpng and libpng3 may allow attackers to cause a denial of service and possibly execute arbitrary code. SOT Linux users are advised to update libpng package. 2. Updated packages SOT Linux 2002 Desktop: i386: ftp://ftp.sot.com/updates/2002/Desktop/i386/libpng-1.0.15-5.i386.rpm SRPMS: ftp://ftp.sot.com/updates/2002/Desktop/SRPMS/libpng-1.0.15-5.src.rpm SOT Linux 2002 Server: i386: ftp://ftp.sot.com/updates/2002/Server/i386/libpng-1.0.15-5.i386.rpm SRPMS: ftp://ftp.sot.com/updates/2002/Server/SRPMS/libpng-1.0.15-5.src.rpm 3. Upgrading package Before applying this update, make sure all previously released errata relevant to your system have been applied. Use up2date to automatically upgrade the fixed packages. If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux Update the package with the following command: rpm -Uvh <filename> 4. Verification All packages are PGP signed by SOT for security. You can verify each package with the following command: rpm --checksig <filename> If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below. Package Name MD5 sum --------------------------------------------------------------------- /Desktop/i386/libpng-1.0.15-5.i386.rpm 5ccf7fb5cfd3453812f3354cbac60cf4 /Desktop/SRPMS/libpng-1.0.15-5.src.rpm 26de21dcae337c100754e53c17fc77fe /Server/i386/libpng-1.0.15-5.i386.rpm 5ccf7fb5cfd3453812f3354cbac60cf4 /Server/SRPMS/libpng-1.0.15-5.src.rpm 26de21dcae337c100754e53c17fc77fe 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0660 http://www.libpng.org/pub/png/libpng.html Copyright(c) 2001, 2002 SOT