Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 9: 2009-2045 Critical Libpng Memory Management Vulnerability Alert

fedora
Calendar Grey March 9, 2009
Dist Fedora Esm H88
The latest Fedora 9 release includes a crucial fix for a major libpng vulnerability, enhancing memory management capabilities and boosting overall application reliability.
This release fixes a vulnerability in which some arrays of pointers are not initialized prior to using malloc to define the pointers

Summary

The libpng10 package contains an old version of libpng, a library of functions

for creating and manipulating PNG (Portable Network Graphics) image format

files.

This package is needed if you want to run binaries that were linked dynamically

with libpng 1.0.x.

This release fixes a vulnerability in which some arrays of pointers are not

initialized prior to using malloc to define the pointers. If the application

runs out of memory while executing the allocation loop (which can be forced by

malevolent input), libpng10 will jump to a cleanup process that attempts to free

all of the pointers, including the undefined ones. This issue has been

assigned CVE-2009-0040

* Thu Feb 19 2009 Paul Howarth 1.0.43-1

- update to 1.0.43 (clear pointer arrays created using png_malloc())

* Fri Dec 19 2008 Paul Howarth 1.0.42-1

- update to 1.0.42 (various minor bugfixes and code cleanups)

* Fri Oct 31 2008 Paul Howarth 1.0.41-1

- update to 1.0.41 (addresses #468990, memory leak after reading a malformed

tEXt chunk)

* Fri Sep 19 2008 Paul Howarth 1.0.40-1

- update to 1.0.40

* Thu Aug 21 2008 Paul Howarth 1.0.39-1

- update to 1.0.39

* Sun Aug 17 2008 Paul Howarth 1.0.38-1

- update to 1.0.38

- update soname patch to apply without fuzz

* Fri May 9 2008 Paul Howarth 1.0.37-1

- update to 1.0.37

- autotools patch no longer needed

- explicitly specify the library filename in %files as a consistency check

* Wed Apr 30 2008 Paul Howarth 1.0.34-1

- update to 1.0.34

- update autotools patch

* Wed Apr 30 2008 Paul Howarth 1.0.33-1

- update to 1.0.33 (CVE-2008-1382, #441839)

- add patch to fix broken autotools build scripts

[ 1 ] Bug #486355 - CVE-2009-0040 libpng arbitrary free() flaw

https://bugzilla.redhat.com/show_bug.cgi?id=486355

su -c 'yum update libpng10' at the command line.

For more information, refer to "Managing Software with yum",

available at .

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory Fedora libpng critical flaw memory management application stability

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 9
Version: 1.0.43
Release: 1.fc9
URL: http://www.libpng.org/pub/png/libpng.html
Summary: Old version of libpng, needed to run old binaries

Topics%20covered

Topics Covered

security advisory Fedora libpng critical flaw memory management application stability

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here