Joined: 12 May 2004
|Posted: Tue Oct 05, 2010 10:26 pm Post subject: [ GLSA 201010-01 ] Libpng: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: Libpng: Multiple vulnerabilities (GLSA 201010-01)
Date: October 05, 2010
Updated: October 15, 2012
Bug(s): #307637, #324153, #335887
Multiple vulnerabilities in libpng might lead to privilege
escalation or a Denial of Service.
libpng is a standard library used to process PNG (Portable Network
Graphics) images. It is used by several programs, including web browsers
and potentially server processes.
Vulnerable: < 1.4.3
Unaffected: >= 1.4.3
Unaffected: >= 1.2.46 < 1.2.47
Unaffected: >= 1.2.47 < 1.2.48
Unaffected: >= 1.2.49 < 1.2.50
Unaffected: >= 1.2.50 < 1.2.51
Architectures: All supported architectures
Multiple vulnerabilities were found in libpng:
- The png_decompress_chunk() function in pngrutil.c does not properly
handle certain type of compressed data (CVE-2010-0205)
- A buffer overflow in pngread.c when using progressive applications
- A memory leak in pngrutil.c when dealing with a certain type of
An attacker could exploit these vulnerabilities to cause programs linked
against the library to crash or execute arbitrary code with the
permissions of the user running the vulnerable program, which could be
the root user.
There is no known workaround at this time.
All libpng 1.4 users should upgrade to the latest version:
All libpng 1.2 users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.4.3"
|# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.46"
Last edited by GLSA on Tue Oct 16, 2012 4:28 am; edited 4 times in total