Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 28 Mar 2011 11:00:00 -0400 (EDT)
From: "Steven M. Christey" <>
Subject: Re: CVE Request: libpng memory leak

On Tue, 22 Mar 2011, Ludwig Nussel wrote:

> libpng has this in it's changelog┬╣:
> version 1.2.39beta05 [August 1, 2009]
>  Reject attempt to write iCCP chunk with negative embedded profile length
>    (JD Chen)
> As it turned out this fixes a DoS (memory consumption on x86_64 and
> a segfault on i386) if e.g. GraphicsMagick is used to convert certain
> jpeg files to png.
> The bug was introduced in 1.2.13beta1:

> Then an incomplete attempt to fix it in 1.2.15beta3, due to 


This gets CVE-2006-7244

> And finally fixed in 1.2.39beta5:

Since CVE-2006-7244 was a partial fix, this final fix should probably get 
its own ID.

So, use CVE-2009-5063.

- Steve

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ