TSLSA-2006-0065 - libpng



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0065

Package names: libpng
Summary: Multiple vulnerabilities
Date: 2006-11-17
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
libpng
libpng is a library of functions for creating and manipulating PNG
(Portable Network Graphics) image format files.

Problem description:
libpng < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Tavis Ormandy has reported a vulnerability in libpng,
caused due to an out-of-bounds read error in the "png_set_sPLT()"
function in pngset.c. This can be exploited by tricking an
application using the library to process a specially crafted PNG file.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-5793 to this issue.

Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.


Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.


Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.


Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>


Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>

The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0065/>


MD5sums of the packages:
- --------------------------------------------------------------------------
67f4a74a37e986d05d2f5d16c522c22e 3.0/rpms/libpng-1.2.8-5tr.i586.rpm
af1685f8fbc087a2000bb6a06915097c 3.0/rpms/libpng-devel-1.2.8-5tr.i586.rpm
45193bf1c911252781a7aa3f2cdc7b9b 3.0/rpms/libpng-tools-1.2.8-5tr.i586.rpm

a49e9bc16c4a6bf2e012278e37a99e61 2.2/rpms/libpng-1.2.7-2tr.i586.rpm
7a3b29b58d81c058c835f547c7925fb2 2.2/rpms/libpng-devel-1.2.7-2tr.i586.rpm
98165bbb52b4df3e0854d00f3350a7cb 2.2/rpms/libpng-tools-1.2.7-2tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFXa5Zi8CEzsK9IksRAlIGAJ9gcZOwlDYYe0JYmECPLmM74dEw4QCdHTMh
7glblY3B87DZ9vHEJwXm/vE=
=UsF6
-----END PGP SIGNATURE-----



Relevant Pages

  • TSLSA-2006-0057 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... The package provides a flexible and scalable multi-threaded ... SECURITY Fix: Two vulnerabilities have been reported in Clam ...
    (Bugtraq)
  • TSLSA-2006-0002 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... The package provides a flexible and scalable multi-threaded daemon, ... - SECURITY Fix: Fixes possible heap based buffer overflow in libclamav/upx.c. ... The Common Vulnerabilities and Exposures project has assigned the ...
    (Bugtraq)
  • TSLSA-2006-0008 - multi
    ... Trustix Secure Linux Security Advisory #2006-0008 ... Affected versions: Trustix Secure Linux 2.2 ... Package description: ... you'll need to access a PostgreSQL DBMS server. ...
    (Bugtraq)
  • TSLSA-2006-0072 - clamav
    ... Affected versions: Trustix Secure Linux 2.2 ... Package description: ... SECURITY Fix: Hendrik Weimer has reported a vulnerability in ClamAV, ... This advisory along with all Trustix packages are signed with the ...
    (Bugtraq)
  • Updated: TSLSA-2004-0068 - kernel
    ... this update of the advisory is to correct that. ... Package name: kernel ... Affected versions: Trustix Secure Linux 2.0 ... The kernel package contains the Linux kernel, ...
    (Bugtraq)