Debian Bug report logs - #660026
CVE-2011-3026

version graph

Package: libpng; Maintainer for libpng is Anibal Monsalve Salazar <anibal@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 15 Feb 2012 20:51:05 UTC

Severity: grave

Tags: security

Fixed in versions libpng/1.2.46-5, libpng/1.5.8-1

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#660026; Package libpng. (Wed, 15 Feb 2012 20:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>. (Wed, 15 Feb 2012 20:51:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-3026
Date: Wed, 15 Feb 2012 21:49:07 +0100
Package: libpng
Severity: grave
Tags: security

This is CVE-2011-3026:
http://src.chromium.org/viewvc/chrome/branches/963/src/third_party/libpng/pngrutil.c?r1=121492&r2=121491&pathrev=121492

Please upload to unstable. I took care of a DSA.

Cheers,
        Moritz




Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Wed, 15 Feb 2012 21:51:16 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 15 Feb 2012 21:51:16 GMT) Full text and rfc822 format available.

Message #10 received at 660026-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 660026-close@bugs.debian.org
Subject: Bug#660026: fixed in libpng 1.2.46-5
Date: Wed, 15 Feb 2012 21:47:52 +0000
Source: libpng
Source-Version: 1.2.46-5

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.46-5_mipsel.udeb
  to main/libp/libpng/libpng12-0-udeb_1.2.46-5_mipsel.udeb
libpng12-0_1.2.46-5_mipsel.deb
  to main/libp/libpng/libpng12-0_1.2.46-5_mipsel.deb
libpng12-dev_1.2.46-5_mipsel.deb
  to main/libp/libpng/libpng12-dev_1.2.46-5_mipsel.deb
libpng3_1.2.46-5_mipsel.deb
  to main/libp/libpng/libpng3_1.2.46-5_mipsel.deb
libpng_1.2.46-5.debian.tar.bz2
  to main/libp/libpng/libpng_1.2.46-5.debian.tar.bz2
libpng_1.2.46-5.dsc
  to main/libp/libpng/libpng_1.2.46-5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 660026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 16 Feb 2012 08:21:54 +1100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source mipsel
Version: 1.2.46-5
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 660026
Changes: 
 libpng (1.2.46-5) unstable; urgency=high
 .
   * Check for both truncation (64-bit platforms) and integer overflow
     Fix CVE-2011-3026
     Add 02-660026-CVE-2011-3026.patch
     Closes: 660026
Checksums-Sha1: 
 f0e4a3f8eb7dfd359ac3b8d4c9102b9eb612a926 1976 libpng_1.2.46-5.dsc
 db34b3668b35e168ae6fa4d150a323677dc8db45 16059 libpng_1.2.46-5.debian.tar.bz2
 cd9057ec57b98efb8e92ace1bf6f5b25e8bc9318 184938 libpng12-0_1.2.46-5_mipsel.deb
 9bb6d144c6a883a1c42773a79ba6b0a3057cc9c9 274938 libpng12-dev_1.2.46-5_mipsel.deb
 67dcb3e4d6644f15d8dc20932b9f14bb0d35d46e 954 libpng3_1.2.46-5_mipsel.deb
 895eae48f485cbfa68e6fd8aa7a58c68b2c27587 71304 libpng12-0-udeb_1.2.46-5_mipsel.udeb
Checksums-Sha256: 
 ec0a0e774c7ab69702596a57a0f43b5bbb24fcb4d9671895ad72497500f4ec09 1976 libpng_1.2.46-5.dsc
 f182e95443cd61f14080c3180e99e640fad56f8aed1824760cfb3aaad40c6c70 16059 libpng_1.2.46-5.debian.tar.bz2
 39bc279aeb12a7d61eb9fa3f8bfceca0a6aa9e84af9eacd70a15a51ef96f2a5b 184938 libpng12-0_1.2.46-5_mipsel.deb
 2aa61d9f96dc8588e495050c6a7d158f34240648fd771e7be1ce8060f192f028 274938 libpng12-dev_1.2.46-5_mipsel.deb
 2d378675784e6ab5dcca102a8355f205060638c04e4871097fca772455403e6b 954 libpng3_1.2.46-5_mipsel.deb
 0d57ab700d5a46be7c8675fe76acd4f2973797c5fa462d4588ed4393990484d9 71304 libpng12-0-udeb_1.2.46-5_mipsel.udeb
Files: 
 aa226d0598693967bc4d0075c1f03753 1976 libs optional libpng_1.2.46-5.dsc
 f7dfce7c286866dbff4d9f84d7ae4443 16059 libs optional libpng_1.2.46-5.debian.tar.bz2
 fe3e75b783c798df672357943df09ec0 184938 libs optional libpng12-0_1.2.46-5_mipsel.deb
 56d4220aff30a4ef2bd15e7ae8283703 274938 libdevel optional libpng12-dev_1.2.46-5_mipsel.deb
 c78fe367bfcbb6e2ebf2e0262def12c7 954 oldlibs optional libpng3_1.2.46-5_mipsel.deb
 4a1112a679b398537830f171fcba292d 71304 debian-installer extra libpng12-0-udeb_1.2.46-5_mipsel.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPPCbnAAoJEHxWrP6UeJfYztQQAIVkJcCEszQgom7ZhBHMw2SC
WKi8/7OKWhC6zx6dlhxj/kXV5yVzDnlgPTgfnfBsA89szLPuek5r/EZOmZk77Zw6
clq6HdB9ymF4m22GSUjmSlum6GKy+Nr6ouWbnyMHF68kEm3msVlarwHOcn4mYBUX
ldF/H47YvCvGFwbJry2uifubb6Gzh2AXIPBXGw+EC9ISvenZ0UbB/Nm9yM6L3Q69
EVnX5+YaYiCHrkCbcGkkv9Rzrw5zqPGLJIRuqYM6AYyUen8vOEHFsvZf8smDtMzK
PIvbVGrMiapllQwghlG5muHA2BWgTY9XKhKnDs3g1qk3QTiSpfjTn8jApC0TAdE2
Pswfv0OC+C8/K8rMxT2teVYA5MWIRNmhoRtmrBi3vVPpHm6XV6rRToUbhkavvlnC
7kPUKjhP85opggxFuS7U0dvv/lBcz+QFxosiWvNNd7nJWpykD4ogPEvCS0+l1zkI
LkuBd1EX3LVQqxhcO3FuN2GnY/lI2E7nsFQX/A+dkEhDM9+um9YHJLPIzjTb2kD5
pGGk447QPiMfHgKlEQg9/0p0a0xXoQec63FMMt5xD9wAYQvvJz8rhD5ZJ0jCkK5W
mYXRjtrQlcvo3H3iswl3sDI8Ws7OrsziOwb0BV4z28BkWt/gTXP6x89oSzlzNacz
cEaCIrjdOv1QMWwhI6GX
=15RX
-----END PGP SIGNATURE-----





Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Wed, 15 Feb 2012 22:51:03 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 15 Feb 2012 22:51:03 GMT) Full text and rfc822 format available.

Message #15 received at 660026-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 660026-close@bugs.debian.org
Subject: Bug#660026: fixed in libpng 1.5.8-1
Date: Wed, 15 Feb 2012 22:48:44 +0000
Source: libpng
Source-Version: 1.5.8-1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng-dev_1.5.8-1_mipsel.deb
  to main/libp/libpng/libpng-dev_1.5.8-1_mipsel.deb
libpng15-15-udeb_1.5.8-1_mipsel.udeb
  to main/libp/libpng/libpng15-15-udeb_1.5.8-1_mipsel.udeb
libpng15-15_1.5.8-1_mipsel.deb
  to main/libp/libpng/libpng15-15_1.5.8-1_mipsel.deb
libpng_1.5.8-1.debian.tar.bz2
  to main/libp/libpng/libpng_1.5.8-1.debian.tar.bz2
libpng_1.5.8-1.dsc
  to main/libp/libpng/libpng_1.5.8-1.dsc
libpng_1.5.8.orig.tar.bz2
  to main/libp/libpng/libpng_1.5.8.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 660026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 16 Feb 2012 09:18:13 +1100
Source: libpng
Binary: libpng15-15 libpng-dev libpng15-15-udeb
Architecture: source mipsel
Version: 1.5.8-1
Distribution: experimental
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng-dev - PNG library - development
 libpng15-15 - PNG library - runtime
 libpng15-15-udeb - PNG library - minimal runtime library (udeb)
Closes: 660026
Changes: 
 libpng (1.5.8-1) experimental; urgency=high
 .
   * New upstream release.
     Fix a one-byte (stack) buffer-overrun bug in
     png_formatted_warning(), which could lead to crashes (denial of
     service) or, conceivably, execution of hostile code.
     This vulnerability has been assigned ID CVE-2011-3464.
   * Check for both truncation (64-bit platforms) and integer overflow
     Fix CVE-2011-3026
     Add 02-660026-CVE-2011-3026.patch
     Closes: 660026
Checksums-Sha1: 
 4bce8ed1cb6a7fbdcd33f9a4052b7d2ae7c203d4 1916 libpng_1.5.8-1.dsc
 46fdc2ab3fef9cf0949b1d7374cda9ea37ed5419 865525 libpng_1.5.8.orig.tar.bz2
 d3142378961db01e827e949a2b6645a0122d065d 16204 libpng_1.5.8-1.debian.tar.bz2
 15893bcad0f17004e7765403168863c16db69342 230034 libpng15-15_1.5.8-1_mipsel.deb
 1455b4f624b3f92438548bce915082a67cbd6282 313846 libpng-dev_1.5.8-1_mipsel.deb
 70a880046bf5eeec4176a7e01463005a5a3c5f4d 80492 libpng15-15-udeb_1.5.8-1_mipsel.udeb
Checksums-Sha256: 
 21b9745db62e47124f77d5ffee3bb8536acf56bc793db42d0b80524acd972f9d 1916 libpng_1.5.8-1.dsc
 4702a0fc1a72c51f8370fc1fa129425913495173e9a87a965170eaa3d81bbf63 865525 libpng_1.5.8.orig.tar.bz2
 0124135dee8f0fc69a45a1fd7cfabc020e62ff83c7d41c66af2fc6566d09bf32 16204 libpng_1.5.8-1.debian.tar.bz2
 d4328e43eee20c1817eb9ede79d22506d2a10c6951c124ca076ac55c35fba8df 230034 libpng15-15_1.5.8-1_mipsel.deb
 6b669e28b8d6d29243d569d4994ab67ee5457e71076f06ff0de89ca7bfa49cfc 313846 libpng-dev_1.5.8-1_mipsel.deb
 e2e9dd3792d5b55293ae4cf9fc33c446ebf7350cd180a2f14fbcfd7aaf9f1311 80492 libpng15-15-udeb_1.5.8-1_mipsel.udeb
Files: 
 3972d4f8115513c9234c783be34b08a8 1916 libs optional libpng_1.5.8-1.dsc
 3b0aac862a247eeabecca44674686dfc 865525 libs optional libpng_1.5.8.orig.tar.bz2
 5596e3a2dcccdff34149c665b1391772 16204 libs optional libpng_1.5.8-1.debian.tar.bz2
 159b8e0fdff6b6b97674d10c5d4f11ba 230034 libs optional libpng15-15_1.5.8-1_mipsel.deb
 4f9def3e720695cf8510fe7cc6c5afee 313846 libdevel optional libpng-dev_1.5.8-1_mipsel.deb
 18ffb23ed4ecb621faa793962d03f5c2 80492 debian-installer extra libpng15-15-udeb_1.5.8-1_mipsel.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPPDIUAAoJEHxWrP6UeJfYD3QP/iEw/hck0rzV+qhQXHnH3Lxw
KcmBNxp4/DfAumbxCvoii2FBv1SKGAhTDM9MJKXvd5/X9jNWj8ylZ2qPGPnkC8eG
2NWEH1QMtv88LVYnxtk0FDjqZjWJJ0yexnU7SS8IPAFeVVnEJe44qQxV4ynfix2/
ja76L/CLrVRsY8n0sGZladaH5U8elGCXBLPGFGt3xNf66+y+jSB3fJdNSH44yINX
DbzQVoyVBo3qfKZ09iShurIkXCSHZ+GfIojYBwuxl433o8CveRMogD9nZrRI5oGz
kkomcOf3d5uRAALaRmS7SG9fDc20C+PF4T1Kwio63kzzy6NJQiylP4yHR4JoWsgm
C4+A74R7rSQkz7G3KdQ1Nlyj6/Q77PDxsa7nA9U5yBQCn2vaABV5AJ4n1fSLWyAr
OdjJta2TonjNEBux9KujiAEiOZJdR2R2aZMCRb0A2zEik9EoAUgUtEkBizohAlrl
Y1ghxVqIDLDvPwBHr5P+gFOkwEXy8lEBM00eHOUCk4wqMKv8f0eVGKsUrgLuNsdt
/5IPpe0hWbbNuwk0BCRyKWwc0JIREOc3kj7UysVJ2UR4OsbsDQpfKKOREQxH2EZB
NWvd/GMsN6VQChrO9GuDxrN6ns2yffZCzvY7MT9Z/dQhsqiKs9D/gW9wA8wQC2lr
4SfynQrV4gKdaitYFmBr
=I8Yn
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 15 Mar 2012 07:33:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 19:04:46 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.