Yellow Dog Linux Security Advisory: YDU-20020819-2

yellowdog-updates@lists.terrasoftsolutions.com yellowdog-updates@lists.terrasoftsolutions.com
Mon, 19 Aug 2002 13:53:14 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	libpng
Issue Date: 	August 19, 2002	
Priority:	medium
Advisory ID: 	YDU-20020819-2


1. 	Topic:

	Updated libpng packages are available.


2. 	Problem:

	"The libpng package contains a library of functions for creating and
	manipulating PNG (Portable Network Graphics) image format files. PNG
	is a bit-mapped graphics format similar to the GIF format. 

	Versions of libpng prior to 1.0.14 contain a buffer overflow in the
	progressive reader when the PNG datastream contains more IDAT data than
	indicated by the IHDR chunk.  Such deliberately malformed datastreams would
	crash applications that are linked to libpng and that use the progressive
	reading feature. Mozilla is such an application.  (CAN-2002-0728)

	Packages within [Yellow Dog] Linux, such as Mozilla, make use of the shared
	libpng library. Therefore, all users are advised to upgrade to the errata
	packages which contain libpng 1.0.14.  Libpng 1.0.14 is not vulnerable to
	this issue and contains fixes for other bugs, including a number of memory
	leaks and another potential buffer overflow (CAN-2002-0660)"
	(from Red Had advisory)

3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install libpng

   	b) Updating manually...
	Download the updates below for your version of Yellow Dog Linux
	and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]

		Yellow Dog Linux 2.3
			ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
				ppc/libpng-1.0.14-0.7x.3b.ppc.rpm
				ppc/libpng-devel-1.0.14-0.7x.3b.ppc.rpm

		Yellow Dog Linux 2.2
			ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
				ppc/libpng-1.0.14-0.7x.3a.ppc.rpm
				ppc/libpng-devel-1.0.14-0.7x.3a.ppc.rpm
			  	

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 2.3]
44743ce0eb1479452cef5801cc36c7d3  ppc/libpng-1.0.14-0.7x.3b.ppc.rpm
393ffb56fbfb235cb45456eba8df76dd  ppc/libpng-devel-1.0.14-0.7x.3b.ppc.rpm
7b7417b2cae43e761aca35d187f22096  SRPMS/libpng-1.0.14-0.7x.3b.src.rpm

[Yellow Dog Linux 2.2]
36bd67e99f26c21c336e114de62e9465  ppc/libpng-1.0.14-0.7x.3a.ppc.rpm
01552232a18766acf22607df0ec3bcd7  ppc/libpng-devel-1.0.14-0.7x.3a.ppc.rpm
d74ab728b8065fdb0489db1da3ebb77c  SRPMS/libpng-1.0.14-0.7x.3a.src.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml