--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-daffd78c3d
2020-12-23 01:03:28.556301
--------------------------------------------------------------------------------

Name        : pngcheck
Product     : Fedora 32
Version     : 2.4.0
Release     : 5.fc32
URL         : https://www.libpng.org/pub/png/apps/pngcheck.html
Summary     : Verifies the integrity of PNG, JNG and MNG files
Description :
pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the
internal 32-bit CRCs [checksums] and decompressing the image data); it can
optionally dump almost all of the chunk-level information in the image in
human-readable form. For example, it can be used to print the basic statistics
about an image (dimensions, bit depth, etc.); to list the color and
transparency info in its palette (assuming it has one); or to extract the
embedded text annotations. This is a command-line program with batch
capabilities.

The current release supports all PNG, MNG and JNG chunks, including the newly
approved sTER stereo-layout chunk. It correctly reports errors in all but two
of the images in Chris Nokleberg's brokensuite-20061204.

--------------------------------------------------------------------------------
Update Information:

Previous fix for buffer overrun printing the contents of the sPLT chunk in
certain malformed inputs (RHBZ#1905775) was incomplete; it should be properly
fixed now.  ----  Security fix for multiple buffer overflows from crafted file
input (RHBZ#1902786,1902806,1902810: no CVE yet assigned), and for buffer
overrun printing the contents of the sPLT chunk in certain malformed inputs
(RHBZ#1905775: no tracking bug or CVE yet assigned); also, new eXIf support and
assorted small bug fixes
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec 14 2020 Benjamin A. Beasley  - 2.4.0-5
- Previous fix for buffer overrun printing the contents of the sPLT chunk in
  certain malformed inputs (RHBZ#1905775) was incomplete; it should be properly
  fixed now.
* Sun Dec 13 2020 Benjamin A. Beasley  - 2.4.0-4
- Bounds-check all accesses into enumerated-value name arrays; a malformed file
  could have caused a buffer overrun in several of these cases. (RHBZ#1902810)
- Fix buffer overrun when print_buffer() is passed a nonpositive size, which
  can occur in practice for certain malformed inputs. (RHBZ#1902810)
- In some cases, the chunk length from the file data (sz) is used to index into
  the read buffer without sufficient bounds-checking, leading to a buffer
  overrun. Fix this for PPLT, hIST, sCAL, FRAM, SAVE, nEED, PAST, DISC, DROP,
  DBYK, ORDR, and SEEK chunks. (RHBZ#1902810)
- Fix buffer overrun printing the contents of the sPLT chunk in certain
  malformed inputs. (RHBZ#1905775)
- Backport fix for off-by-one bug in check_magic() from 3.0.0
- Backport fix for zlib version warnings going to stdout from 3.0.0
- Use name macro when referencing patches.
- Add BR on make in anticipation of
  https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot.
- New upstream version 2.4.0
- Added new license file for main package (same MIT-style license)
- Drop format-security patch, now upstreamed
- Use upstreamed man pages; no need to generate with help2man anymore
- Add rpmlintrc rules for -extras subpackage
- Add rpmlintrc file to suppress spurious rpmlint warnings
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1902806 - pngcheck: Multiple buffer overflows from crafted file input
        https://bugzilla.redhat.com/show_bug.cgi?id=1902806
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-daffd78c3d' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]