Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Apr 2014 07:52:23 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE-2013-7353 CVE-2013-7354 libpng integer overflows

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://sourceforge.net/p/libpng/bugs/199/

Use CVE-2013-7353 for "png_set_unknown_chunks in libpng/pngset.c ...
Fixed in libpng-1.5.14beta08"

("has four integer overflow bugs" is apparently a typo of "has one
integer overflow bug")

Use CVE-2013-7354 for "The png_set_sPLT() and png_set_text_2()
functions have a similar bug, which is fixed in libpng-1.5.14rc03" --
this has a different discoverer.

The vendor mentions that internal calls use safe values. These issues
could potentially affect applications that use the libpng API.
Apparently no such applications were identified as part of the work on
bug 199.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTRoV4AAoJEKllVAevmvmsNLsH/A5nbaRfwAC28nkR6WkYTCwS
yhsnl6x4Ns3I60HGoZBrUolPd15hlACJyR4YMzd9gwuh8vMIrWr5t5P+m+wRKhaM
eyrr9z66zw/KPyVe6ZhU8Ev9O3stoSR5wm26awIpGPeV9NhfKg4FNyHDoSU7Ii5y
4RapXaJRkKirzU7pEBt4fjNjAnikWoJew9Acc/aeNpwJ0lV9pk5+eNVmxghyPwQi
UfccNfEXnxmnsET0u5n29a2QgxMRGhCeBZkbtFRzCgU9Od1YLO56wtb82sJEwBTK
WCKZ1f8ko9hdGNjt3sNXhrrmXqaOHvuUszjg3NCk596b+73eBgA+TvPI2EG2Dp8=
=zAbJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.