Debian Bug report logs - #632786
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+

version graph

Package: libpng; Maintainer for libpng is Anibal Monsalve Salazar <anibal@debian.org>;

Reported by: Aníbal Monsalve Salazar <anibal@debian.org>

Date: Tue, 5 Jul 2011 23:03:02 UTC

Severity: critical

Tags: patch, security

Found in versions 1.2.44-2, 1.5.2-1, 1.2.44-1, 1.2.27-2+lenny4

Fixed in versions libpng/1.2.44-3, libpng/1.5.2-2, libpng/1.2.44-1+squeeze1

Done: Nobuhiro Iwamatsu <iwamatsu@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#632786; Package libpng. (Tue, 05 Jul 2011 23:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aníbal Monsalve Salazar <anibal@debian.org>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Tue, 05 Jul 2011 23:03:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Aníbal Monsalve Salazar <anibal@debian.org>
To: submit <submit@bugs.debian.org>
Subject: CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
Date: Tue, 5 Jul 2011 23:00:06 +0000
Package: libpng
Tags: security patch
Severity: critical


https://bugzilla.redhat.com/show_bug.cgi?id=717084


Vincent Danen      2011-06-27 18:34:45 EDT

It was reported [1] that the fix for CVE-2004-0421 in libpng was
inadvertently reverted during the 1.2.23 development cycle.  The
original flaw could be used to cause a denial of service via a
carefully-crafted PNG image.

This would affect all versions of libpng >=1.2.23, including 1.4.x and
1.5.x.

[1] http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement


Vincent Danen      2011-06-27 18:43:19 EDT

Upstream fix is here:

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af


Huzaifa S. Sidhpurwala      2011-06-28 23:44:56 EDT

This has been assigned CVE-2011-2501:
http://www.openwall.com/lists/oss-security/2011/06/28/16




Bug Marked as found in versions 1.2.27-2+lenny4. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 05 Jul 2011 23:15:02 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1.2.44-1. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 05 Jul 2011 23:15:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1.2.44-2. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 05 Jul 2011 23:15:04 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1.5.2-1. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 05 Jul 2011 23:15:04 GMT) Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Wed, 06 Jul 2011 00:21:07 GMT) Full text and rfc822 format available.

Notification sent to Aníbal Monsalve Salazar <anibal@debian.org>:
Bug acknowledged by developer. (Wed, 06 Jul 2011 00:21:07 GMT) Full text and rfc822 format available.

Message #18 received at 632786-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 632786-close@bugs.debian.org
Subject: Bug#632786: fixed in libpng 1.2.44-3
Date: Wed, 06 Jul 2011 00:18:31 +0000
Source: libpng
Source-Version: 1.2.44-3

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.44-3_amd64.udeb
  to main/libp/libpng/libpng12-0-udeb_1.2.44-3_amd64.udeb
libpng12-0_1.2.44-3_amd64.deb
  to main/libp/libpng/libpng12-0_1.2.44-3_amd64.deb
libpng12-dev_1.2.44-3_amd64.deb
  to main/libp/libpng/libpng12-dev_1.2.44-3_amd64.deb
libpng3_1.2.44-3_all.deb
  to main/libp/libpng/libpng3_1.2.44-3_all.deb
libpng_1.2.44-3.debian.tar.bz2
  to main/libp/libpng/libpng_1.2.44-3.debian.tar.bz2
libpng_1.2.44-3.dsc
  to main/libp/libpng/libpng_1.2.44-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 632786@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 06 Jul 2011 10:04:32 +1000
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source all amd64
Version: 1.2.44-3
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 632786
Changes: 
 libpng (1.2.44-3) unstable; urgency=high
 .
   * Fixed 1-byte uninitialized memory reference in png_format_buffer()
     Fix CVE-2011-2501
     Add debian/patches/02-632786-CVE-2011-2501.patch
     Closes: 632786
   * Standards version is 3.9.2
   * Fix xc-package-type-in-debian-control
   * Fix debian-rules-missing-recommended-target
Checksums-Sha1: 
 49e14bc89ca7649dcebb2d81da1ef33f8589f4a9 1815 libpng_1.2.44-3.dsc
 2801ad232db78dae4b2cd86dc84c0607dc6e7eb1 15675 libpng_1.2.44-3.debian.tar.bz2
 8f5d8b82be3d0eb9d7522ac2c7b5757d4321390b 902 libpng3_1.2.44-3_all.deb
 3a8898ad9b217538aadc8458c0951e2bf3fedbde 180866 libpng12-0_1.2.44-3_amd64.deb
 d369ef18a8cb6fdf1bd6cb210ddb5df49add8433 272692 libpng12-dev_1.2.44-3_amd64.deb
 574912a423146742325d886d456223eb4813fe58 73910 libpng12-0-udeb_1.2.44-3_amd64.udeb
Checksums-Sha256: 
 57e965a3deb0845fa5887b9e3fd28eb3084c832ce98a2ca87e3ac4f9c1ee283a 1815 libpng_1.2.44-3.dsc
 5d3959fcfa0a02c90c575b8d4401ff83db2bbad4bf5a9fc1f7e79c265756bca0 15675 libpng_1.2.44-3.debian.tar.bz2
 1713f24a5f8c872786054bc8221c3efc440a22eb58e45a34043633cb4586bfa9 902 libpng3_1.2.44-3_all.deb
 e5dae674f9bcc907125dfeb899527f686e070542342ef146cf9fd309c33561e4 180866 libpng12-0_1.2.44-3_amd64.deb
 2b47fa8aaa202d82353b0f6d7535479aa3d446e9467c17b3091599269043554b 272692 libpng12-dev_1.2.44-3_amd64.deb
 69d242724e41df21f40f56ec74c839a2ae65281b3232a0a18fe2ee7d593ac2d8 73910 libpng12-0-udeb_1.2.44-3_amd64.udeb
Files: 
 2e446d8b967a7dc6b1b9eddc4d3985f9 1815 libs optional libpng_1.2.44-3.dsc
 98a527ea562ec4192eb99eec1dc964fa 15675 libs optional libpng_1.2.44-3.debian.tar.bz2
 2495950052ff867fa4a6c4111a98515d 902 oldlibs optional libpng3_1.2.44-3_all.deb
 927e7ec697a47bfb3ca8973830f06d15 180866 libs optional libpng12-0_1.2.44-3_amd64.deb
 239f411629e2e3d243dea2f27ccb928f 272692 libdevel optional libpng12-dev_1.2.44-3_amd64.deb
 71293936f931a2ca23e62ea53c3def94 73910 debian-installer extra libpng12-0-udeb_1.2.44-3_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJOE6kHAAoJEHxWrP6UeJfYV9QP/2IiENiTM9E99xbG3QLCRKRl
8TkrjDWBdTK2TXW/xpe+9ALaseOzTFAx+YZiZZ0cgiHUTO2phwuYCa1mGh4ggAnG
HGW8OQoC0B97qIsObp1yRvweS323ycsfwJZAuiDTBxiRTc3bZUX2ydRGgQyXf90q
U56cZRBppRdr34E9bqETk2WLfVZ1Pq/nLjnpzFw/VSjSvbEyWOVzWgAb+zrQ0j2Z
C1cZ5HLdzxsbo6wKf8UaHvxGM7c7qzq1+J0Yanr/fjforO1PwsS+wamc8NUY2LUN
ydX9D31xaJQ0cnPXmUSeDMNV+8pR9bqW7jfdKqVJlfBlXvvdXyCMyT2kW1yODbVP
KTeDcQhthV3YtToaY2rwqEpIK/Qi/XYLk2gziMP9CD9IZPXiCS9RnAJqXIpPOIYI
GCjzJmaDd4G2naFgGLbwhCcV82sU4v1iCEYffYCK848oC4zguNK+uKU3XO+ivKOp
gh3OA4vK4v1XqFvcmQsLVJPVIM9ZaNGYVKcexKYSPJdYKsYGoAYE4T331oCLuJbL
gzeoyF1ziHDVJnEz/L9h2qB65iYeYGb4JOIAEp9tCmjKatwx8vr456KH9Aoaxhbg
mNCK4pu5Q5ihUnX89cbIcoeGvTs+rbEMoyCU1dGKVH+6ht1Z+M1MX8GZboQ4GKHT
OwtMTK7FuiZvwunjGdg9
=paTI
-----END PGP SIGNATURE-----





Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Wed, 06 Jul 2011 02:51:03 GMT) Full text and rfc822 format available.

Notification sent to Aníbal Monsalve Salazar <anibal@debian.org>:
Bug acknowledged by developer. (Wed, 06 Jul 2011 02:51:04 GMT) Full text and rfc822 format available.

Message #23 received at 632786-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 632786-close@bugs.debian.org
Subject: Bug#632786: fixed in libpng 1.5.2-2
Date: Wed, 06 Jul 2011 02:47:59 +0000
Source: libpng
Source-Version: 1.5.2-2

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng15-15-udeb_1.5.2-2_amd64.udeb
  to main/libp/libpng/libpng15-15-udeb_1.5.2-2_amd64.udeb
libpng15-15_1.5.2-2_amd64.deb
  to main/libp/libpng/libpng15-15_1.5.2-2_amd64.deb
libpng15-dev_1.5.2-2_amd64.deb
  to main/libp/libpng/libpng15-dev_1.5.2-2_amd64.deb
libpng_1.5.2-2.debian.tar.bz2
  to main/libp/libpng/libpng_1.5.2-2.debian.tar.bz2
libpng_1.5.2-2.dsc
  to main/libp/libpng/libpng_1.5.2-2.dsc
libpng_1.5.2.orig.tar.bz2
  to main/libp/libpng/libpng_1.5.2.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 632786@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 06 Jul 2011 11:27:05 +1000
Source: libpng
Binary: libpng15-15 libpng15-dev libpng15-15-udeb
Architecture: source amd64
Version: 1.5.2-2
Distribution: experimental
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng15-15 - PNG library - runtime
 libpng15-15-udeb - PNG library - minimal runtime library (udeb)
 libpng15-dev - PNG library - development
Closes: 632786
Changes: 
 libpng (1.5.2-2) experimental; urgency=low
 .
   * Fix 1-byte uninitialized memory reference in png_format_buffer()
     Fix CVE-2011-2501
     Add debian/patches/02-632786-CVE-2011-2501.patch
     Closes: 632786
   * Pass "-Zbzip2 -z9" to dpkg-deb
   * Fix xc-package-type-in-debian-control
   * Fix debian-rules-missing-recommended-target
Checksums-Sha1: 
 2f4227a7d32cd05adf9ea4bcf1ac77fb85ca6e1b 1772 libpng_1.5.2-2.dsc
 db9658b1c7fcf65769bb01e773a703ce56389be5 790523 libpng_1.5.2.orig.tar.bz2
 23bd6dd680db52f2accf3a75da0f1d4e80cf1489 14933 libpng_1.5.2-2.debian.tar.bz2
 ccb7b4440cfb6624a51528ef93983d5a9c3ecb42 154734 libpng15-15_1.5.2-2_amd64.deb
 5ccc8be59690b54b929bb4c6121928a5a7f4e256 279250 libpng15-dev_1.5.2-2_amd64.deb
 bceaf9b0b9aaf0a9b5a13b9e49e2403b5a58130c 76536 libpng15-15-udeb_1.5.2-2_amd64.udeb
Checksums-Sha256: 
 c45003734f93383a441722785ba5259a51f72648d9e33e15aed52d3e56759dec 1772 libpng_1.5.2-2.dsc
 15e45ed613586b65a4b81479bebcf4b560f2262b9593c9c09867f65a65c826b7 790523 libpng_1.5.2.orig.tar.bz2
 1052d54782fda71da7a49692f07c8a490da5295d58dfaf169f3b572ea7b90af1 14933 libpng_1.5.2-2.debian.tar.bz2
 07fbff0572448057e94a0d6419867577a398eda70ab7e4d75ad48638f1386495 154734 libpng15-15_1.5.2-2_amd64.deb
 dee4707a8c12cb44ea7f468e97d83d37456f8b4e235bf16a8e70916694b33b13 279250 libpng15-dev_1.5.2-2_amd64.deb
 ae8318db0d460e22416ac4ef93f04527d80ce8a049f85a4a4e453f954363efc4 76536 libpng15-15-udeb_1.5.2-2_amd64.udeb
Files: 
 d792d8237c15a544d097e4d6116a007d 1772 libs optional libpng_1.5.2-2.dsc
 a003b37ed9afb0d9164eb7228421057c 790523 libs optional libpng_1.5.2.orig.tar.bz2
 26d21691cf0efecb4cd26d3fa95be114 14933 libs optional libpng_1.5.2-2.debian.tar.bz2
 4fb8503c3add50cf40c5ea99b096c41a 154734 libs optional libpng15-15_1.5.2-2_amd64.deb
 fb47f2dfffcf82b99e12a1294ade05f6 279250 libdevel optional libpng15-dev_1.5.2-2_amd64.deb
 c706801d858a5bef344740633d6613da 76536 debian-installer extra libpng15-15-udeb_1.5.2-2_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJOE8WjAAoJEHxWrP6UeJfYMXsQAMCe5hDatkJDzUi2Jq6cZ+Mr
H6uJKMeKe3vOccKTmcLDNKmFgtoUW3rwPESU43hQETmM3il8njDmPnEyxKd4KMCI
QQybHCqdZb6nAjhAE5KmUDY9o3a0kKtzUuQZRKNFgarOS7q0JVOrfiGcSIoHNtWh
VN2Z/9njdbZd43/m5KBF1jU1AGUgnghdxsC+qkJOmhZorPRSC9V1J06NUILSm1JI
TSxOnHU1dULMXuOGoHzkbuiiKfDTMUhF599qBhSSubyXVNYyy14UtpGowqmGRyzN
Cz12Laju2pL+igErDLVyekE0Nx5Xq4/dxslNkKrSqAI6NGjOfYhMVwJgzjAc35ye
6iPWWnJ+FkSMvDnWwsTSWUW6nOySwNiEbDpiZTOvnqOrKEbKFwgOAzuchL11zsg6
BcrJkNWRrRbCaQE9bCL1sNUpT1k6Wh0mEzjt9KQU0umnkYTxIAaaWEf3WOg9e46F
QIupRkMtDfS+7sR7LIoKUS0L2sDt9PJRyHiI6LAwWBwT23sq9ZSlTeixQ8cEfWq/
ZXo5hsdKcrQTXi49+Q1e7WV6DULh4VH/F6qCAiemIqz5WCiFQoggjIq6QM0LMB2B
/OORyf+LSh6fmPADDPOY96D2VAlM8HIktFmeiV/XoedTEFL1eRm/YAJODfCN7aV0
GzaFZW9lHcn60A+Q4ClL
=WkHW
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#632786; Package libpng. (Wed, 06 Jul 2011 14:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Wed, 06 Jul 2011 14:21:04 GMT) Full text and rfc822 format available.

Message #28 received at 632786@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Aníbal Monsalve Salazar <anibal@debian.org>, 632786@bugs.debian.org
Subject: Re: (PRSC) Bug#632786: CVE-2011-2501 libpng: regression of CVE-2004-0421
Date: Wed, 6 Jul 2011 15:19:05 +0100
[Message part 1 (text/plain, inline)]
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)
squeeze (6.0.2)

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]

Reply sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>:
You have taken responsibility. (Fri, 29 Jul 2011 08:12:10 GMT) Full text and rfc822 format available.

Notification sent to Aníbal Monsalve Salazar <anibal@debian.org>:
Bug acknowledged by developer. (Fri, 29 Jul 2011 08:12:10 GMT) Full text and rfc822 format available.

Message #33 received at 632786-close@bugs.debian.org (full text, mbox):

From: Nobuhiro Iwamatsu <iwamatsu@debian.org>
To: 632786-close@bugs.debian.org
Subject: Bug#632786: fixed in libpng 1.2.44-1+squeeze1
Date: Fri, 29 Jul 2011 08:09:35 +0000
Source: libpng
Source-Version: 1.2.44-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.44-1+squeeze1_amd64.udeb
  to main/libp/libpng/libpng12-0-udeb_1.2.44-1+squeeze1_amd64.udeb
libpng12-0_1.2.44-1+squeeze1_amd64.deb
  to main/libp/libpng/libpng12-0_1.2.44-1+squeeze1_amd64.deb
libpng12-dev_1.2.44-1+squeeze1_amd64.deb
  to main/libp/libpng/libpng12-dev_1.2.44-1+squeeze1_amd64.deb
libpng3_1.2.44-1+squeeze1_all.deb
  to main/libp/libpng/libpng3_1.2.44-1+squeeze1_all.deb
libpng_1.2.44-1+squeeze1.debian.tar.bz2
  to main/libp/libpng/libpng_1.2.44-1+squeeze1.debian.tar.bz2
libpng_1.2.44-1+squeeze1.dsc
  to main/libp/libpng/libpng_1.2.44-1+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 632786@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <iwamatsu@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 15 Jul 2011 13:06:17 +0900
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source all amd64
Version: 1.2.44-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 632786 633871
Changes: 
 libpng (1.2.44-1+squeeze1) stable-security; urgency=high
 .
   * Apply upstream patch to 1-byte uninitialized memory reference in
     png_format_buffer(). (Closes: #632786, CVE-2011-2501)
   * Apply upstream patch to buffer overwrite in png_rgb_to_gray.
     (Closes: #633871, CVE-2011-2690)
   * Apply upstream patch to crash in png_default_error due to use of
     NULL Pointer. (Closes: #633871, CVE-2011-2691)
   * Apply upstream patch to memory corruption when handling empty sCAL chunks.
     (Closes: #633871, CVE-2011-2692)
Checksums-Sha1: 
 45a8e4fc8eaf5f8dfc9853c3e0b7bf030541db3b 1220 libpng_1.2.44-1+squeeze1.dsc
 07bd9d67c6e6076416a951451e1b05c2660e9d0d 657967 libpng_1.2.44.orig.tar.bz2
 b5eaece6cb9f13b7d11d728d8d19dc66359d7a3f 16868 libpng_1.2.44-1+squeeze1.debian.tar.bz2
 bcb490754b55519748d4ca3796afddebc08a10de 880 libpng3_1.2.44-1+squeeze1_all.deb
 35db55d3d4d7c52fc3d6a18db676906f4e938cfa 180292 libpng12-0_1.2.44-1+squeeze1_amd64.deb
 aabbdbef0b17f9372873bb244aedd5704c8f0c4f 271912 libpng12-dev_1.2.44-1+squeeze1_amd64.deb
 9edf83d59877f7eebe6b728c8810da284c60ef95 73652 libpng12-0-udeb_1.2.44-1+squeeze1_amd64.udeb
Checksums-Sha256: 
 835250574e621c80944fe60450b959b2b7b72c7387832c85f4d98c36a89f1171 1220 libpng_1.2.44-1+squeeze1.dsc
 b9ab20f1c2c3bf6c4448fd9bd8a4a8905b918114d5fada56c97bb758a17b7215 657967 libpng_1.2.44.orig.tar.bz2
 55ad8e3c7bb798d5d9e1f5b699e2f486835760e0317c9253c41a1c5db2674af7 16868 libpng_1.2.44-1+squeeze1.debian.tar.bz2
 07c686aa185d25be43d9799cf5ae9a62859e357db026a85fe8960ecfedae2660 880 libpng3_1.2.44-1+squeeze1_all.deb
 347650a1fdc4795ee74e28d0320ab1989420af88693388077093363e328e54b4 180292 libpng12-0_1.2.44-1+squeeze1_amd64.deb
 ba6ba8661767687e798919d1edbd1e023fa203295beddc4e9af71744669dbdac 271912 libpng12-dev_1.2.44-1+squeeze1_amd64.deb
 c062c253e6483b06b353fe69a76ae70325e0db9125298009a57de0101d7c8e15 73652 libpng12-0-udeb_1.2.44-1+squeeze1_amd64.udeb
Files: 
 bd03fe299fc0e736b4305cad9f9f6900 1220 libs optional libpng_1.2.44-1+squeeze1.dsc
 e3ac7879d62ad166a6f0c7441390d12b 657967 libs optional libpng_1.2.44.orig.tar.bz2
 ca336993266703229b7734da741dde9f 16868 libs optional libpng_1.2.44-1+squeeze1.debian.tar.bz2
 8078aad6ce639a863fa46dce21221b24 880 oldlibs optional libpng3_1.2.44-1+squeeze1_all.deb
 3bad55f8ab41473f07de953d1f6a9b44 180292 libs optional libpng12-0_1.2.44-1+squeeze1_amd64.deb
 8b8090de72a41f922617afe627b50df9 271912 libdevel optional libpng12-dev_1.2.44-1+squeeze1_amd64.deb
 b1429ec2d57a1bfc432c6a0f99039eef 73652 debian-installer extra libpng12-0-udeb_1.2.44-1+squeeze1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4sytAACgkQQWTRs4lLtHl+pQCgjA7UWmWPY7AaXk8f+E2Whzrs
QOgAn0sv3l1QCeS4pVQaBrOLqEly3zUy
=UYDh
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Oct 2011 07:37:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:39:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.