Yellow Dog Linux Security Advisory: YDU-20030114-2
yellowdog-updates@lists.terrasoftsolutions.com
yellowdog-updates@lists.terrasoftsolutions.com
Mon, 13 Jan 2003 13:52:24 -0700 (MST)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: libpng
Issue Date: January 14, 2002
Priority: medium
Advisory ID: YDU-20030114-2
1. Topic:
Updated libpng packages are available.
2. Problem:
"Updated libpng packages are available that fix a buffer overflow
vulnerability.
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format.
Unpatched versions of libpng 1.2.1 and earlier do not correctly calculate
offsets, which leads to a buffer overflow and the possibility of arbitrary
code execution. This could be exploited by an attacker creating a
carefully crafted PNG file which could execute arbitrary code when the
victim views it."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install libpng
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/libpng-1.0.14-0.7x.4.ppc.rpm
ppc/libpng-devel-1.0.14-0.7x.4.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
54c664590a9daa41c0020b76b5687da7 ppc/libpng-1.0.14-0.7x.4.ppc.rpm
3a4203f0327c2d118ac3c4cd67ce9c51 ppc/libpng-devel-1.0.14-0.7x.4.ppc.rpm
6f6a7e80e2d38f6ab156506847cb030c SRPMS/libpng-1.0.14-0.7x.4.src.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml