This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
[SECURITY] libpng vulnerabilities
- From: marco atzeri <marco dot atzeri at gmail dot com>
- To: cygwin-apps at cygwin dot com
- Date: Sun, 26 Feb 2012 09:02:34 +0100
- Subject: [SECURITY] libpng vulnerabilities
- Authentication-results: mr.google.com; spf=pass (google.com: domain of marco.atzeri@gmail.com designates 10.68.191.71 as permitted sender) smtp.mail=marco.atzeri@gmail.com; dkim=pass header.i=marco.atzeri@gmail.com
Hi Chuck,
again, libpng announced security vulnerabilities:
from : http://www.libpng.org/pub/png/libpng.html
Vulnerability Warning
All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and
1.0.56, respectively, fail to correctly validate a heap allocation in
png_decompress_chunk(), which can lead to a buffer-overrun and the
possibility of execution of hostile code on 32-bit systems. This serious
vulnerability has been assigned ID CVE-2011-3026 and is fixed in version
1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the
older branches), released 18 February 2012.
Regards
Marco
PS: zlib 1.2.6 ?