Fedora 33: pngcheck 2020-f3a397cbf8.

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-f3a397cbf8
2020-12-23 01:18:30.481735
--------------------------------------------------------------------------------

Name        : pngcheck
Product     : Fedora 33
Version     : 2.4.0
Release     : 5.fc33
URL         : https://www.libpng.org/pub/png/apps/pngcheck.html
Summary     : Verifies the integrity of PNG, JNG and MNG files
Description :
pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the
internal 32-bit CRCs [checksums] and decompressing the image data); it can
optionally dump almost all of the chunk-level information in the image in
human-readable form. For example, it can be used to print the basic statistics
about an image (dimensions, bit depth, etc.); to list the color and
transparency info in its palette (assuming it has one); or to extract the
embedded text annotations. This is a command-line program with batch
capabilities.

The current release supports all PNG, MNG and JNG chunks, including the newly
approved sTER stereo-layout chunk. It correctly reports errors in all but two
of the images in Chris Nokleberg's brokensuite-20061204.

--------------------------------------------------------------------------------
Update Information:

Previous fix for buffer overrun printing the contents of the sPLT chunk in
certain malformed inputs (RHBZ#1905775) was incomplete; it should be properly
fixed now.  ----  Security fix for multiple buffer overflows from crafted file
input (RHBZ#1902786,1902806,1902810: no CVE yet assigned), and for buffer
overrun printing the contents of the sPLT chunk in certain malformed inputs
(RHBZ#1905775: no tracking bug or CVE yet assigned); also, new eXIf support and
assorted small bug fixes
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec 14 2020 Benjamin A. Beasley  - 2.4.0-5
- Previous fix for buffer overrun printing the contents of the sPLT chunk in
  certain malformed inputs (RHBZ#1905775) was incomplete; it should be properly
  fixed now.
* Sun Dec 13 2020 Benjamin A. Beasley  - 2.4.0-4
- Bounds-check all accesses into enumerated-value name arrays; a malformed file
  could have caused a buffer overrun in several of these cases. (RHBZ#1902810)
- Fix buffer overrun when print_buffer() is passed a nonpositive size, which
  can occur in practice for certain malformed inputs. (RHBZ#1902810)
- In some cases, the chunk length from the file data (sz) is used to index into
  the read buffer without sufficient bounds-checking, leading to a buffer
  overrun. Fix this for PPLT, hIST, sCAL, FRAM, SAVE, nEED, PAST, DISC, DROP,
  DBYK, ORDR, and SEEK chunks. (RHBZ#1902810)
- Fix buffer overrun printing the contents of the sPLT chunk in certain
  malformed inputs. (RHBZ#1905775)
- Backport fix for off-by-one bug in check_magic() from 3.0.0
- Backport fix for zlib version warnings going to stdout from 3.0.0
- Use name macro when referencing patches.
- Add BR on make in anticipation of
  https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot.
- New upstream version 2.4.0
- Added new license file for main package (same MIT-style license)
- Drop format-security patch, now upstreamed
- Use upstreamed man pages; no need to generate with help2man anymore
- Add rpmlintrc rules for -extras subpackage
- Add rpmlintrc file to suppress spurious rpmlint warnings
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1902806 - pngcheck: Multiple buffer overflows from crafted file input
        https://bugzilla.redhat.com/show_bug.cgi?id=1902806
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-f3a397cbf8' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]

Advisories

What Are You Looking For?

Popular Tags

Fedora 33: pngcheck 2020-f3a397cbf8

Summary

Change Log

References

Update Instructions

News

Advisories

HOWTOs

Features

Secure Linux Hosting for Businesses

What Is Threat Intelligence?

CloudLinux Simplifies & Enhances Linux Security with its TuxCare Unified Enterprise Support Services

LinuxSecurity, Leading Provider of Linux Security News and Information, Unveils its New Website

Biden's New Executive Cybersecurity Order Highlights the Power of Open-Source Security

About Us

Powered By

Advisories

What Are You Looking For?

Popular Tags

Sign In

Not a Member Yet?

Fedora 33: pngcheck 2020-f3a397cbf8

Summary

Change Log

References

Update Instructions

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

Secure Linux Hosting for Businesses

What Is Threat Intelligence?

CloudLinux Simplifies & Enhances Linux Security with its TuxCare Unified Enterprise Support Services

LinuxSecurity, Leading Provider of Linux Security News and Information, Unveils its New Website

Biden's New Executive Cybersecurity Order Highlights the Power of Open-Source Security

About Us

Powered By