This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[SECURITY] libpng vulnerabilities

From: marco atzeri <marco dot atzeri at gmail dot com>
To: cygwin-apps at cygwin dot com
Date: Sun, 26 Feb 2012 09:02:34 +0100
Subject: [SECURITY] libpng vulnerabilities
Authentication-results: mr.google.com; spf=pass (google.com: domain of marco.atzeri@gmail.com designates 10.68.191.71 as permitted sender) smtp.mail=marco.atzeri@gmail.com; dkim=pass header.i=marco.atzeri@gmail.com

Hi Chuck,

again, libpng announced security vulnerabilities:

from : http://www.libpng.org/pub/png/libpng.html

Vulnerability Warning

All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and 1.0.56, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. This serious vulnerability has been assigned ID CVE-2011-3026 and is fixed in version 1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the older branches), released 18 February 2012.

Regards
Marco

PS: zlib 1.2.6 ?

Follow-Ups:
- Re: [SECURITY] libpng vulnerabilities
  - From: Charles Wilson

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]