Yellow Dog Linux Security Advisory: YDU-20030114-2

yellowdog-updates@lists.terrasoftsolutions.com yellowdog-updates@lists.terrasoftsolutions.com
Mon, 13 Jan 2003 13:52:24 -0700 (MST) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	libpng
Issue Date: 	January 14, 2002	
Priority:	medium	
Advisory ID: 	YDU-20030114-2


1. 	Topic:

	Updated libpng packages are available.


2. 	Problem:

	"Updated libpng packages are available that fix a buffer overflow
	vulnerability.

	The libpng package contains a library of functions for creating and
	manipulating PNG (Portable Network Graphics) image format files. PNG
	is a bit-mapped graphics format similar to the GIF format.

	Unpatched versions of libpng 1.2.1 and earlier do not correctly calculate
	offsets, which leads to a buffer overflow and the possibility of arbitrary
	code execution. This could be exploited by an attacker creating a
	carefully crafted PNG file which could execute arbitrary code when the
	victim views it."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install libpng

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/libpng-1.0.14-0.7x.4.ppc.rpm
			ppc/libpng-devel-1.0.14-0.7x.4.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
54c664590a9daa41c0020b76b5687da7  ppc/libpng-1.0.14-0.7x.4.ppc.rpm
3a4203f0327c2d118ac3c4cd67ce9c51  ppc/libpng-devel-1.0.14-0.7x.4.ppc.rpm
6f6a7e80e2d38f6ab156506847cb030c  SRPMS/libpng-1.0.14-0.7x.4.src.rpm


I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml