Yellow Dog Linux Security Advisory: YDU-20020819-2
yellowdog-updates@lists.terrasoftsolutions.com
yellowdog-updates@lists.terrasoftsolutions.com
Mon, 19 Aug 2002 13:53:14 -0600 (MDT)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: libpng
Issue Date: August 19, 2002
Priority: medium
Advisory ID: YDU-20020819-2
1. Topic:
Updated libpng packages are available.
2. Problem:
"The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format.
Versions of libpng prior to 1.0.14 contain a buffer overflow in the
progressive reader when the PNG datastream contains more IDAT data than
indicated by the IHDR chunk. Such deliberately malformed datastreams would
crash applications that are linked to libpng and that use the progressive
reading feature. Mozilla is such an application. (CAN-2002-0728)
Packages within [Yellow Dog] Linux, such as Mozilla, make use of the shared
libpng library. Therefore, all users are advised to upgrade to the errata
packages which contain libpng 1.0.14. Libpng 1.0.14 is not vulnerable to
this issue and contains fixes for other bugs, including a number of memory
leaks and another potential buffer overflow (CAN-2002-0660)"
(from Red Had advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install libpng
b) Updating manually...
Download the updates below for your version of Yellow Dog Linux
and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
Yellow Dog Linux 2.3
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/libpng-1.0.14-0.7x.3b.ppc.rpm
ppc/libpng-devel-1.0.14-0.7x.3b.ppc.rpm
Yellow Dog Linux 2.2
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
ppc/libpng-1.0.14-0.7x.3a.ppc.rpm
ppc/libpng-devel-1.0.14-0.7x.3a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
[Yellow Dog Linux 2.3]
44743ce0eb1479452cef5801cc36c7d3 ppc/libpng-1.0.14-0.7x.3b.ppc.rpm
393ffb56fbfb235cb45456eba8df76dd ppc/libpng-devel-1.0.14-0.7x.3b.ppc.rpm
7b7417b2cae43e761aca35d187f22096 SRPMS/libpng-1.0.14-0.7x.3b.src.rpm
[Yellow Dog Linux 2.2]
36bd67e99f26c21c336e114de62e9465 ppc/libpng-1.0.14-0.7x.3a.ppc.rpm
01552232a18766acf22607df0ec3bcd7 ppc/libpng-devel-1.0.14-0.7x.3a.ppc.rpm
d74ab728b8065fdb0489db1da3ebb77c SRPMS/libpng-1.0.14-0.7x.3a.src.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml