[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2003.001-png.txt

[Thomas Lotterer]

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   15-Jan-2003 16:19:01
  Branch: HEAD                             Handle: 2003011515190100

  Modified files:
    openpkg-web/security    OpenPKG-SA-2003.001-png.txt

  Log:
    may cause; src and bin tutorial; rebuild and install; renumber

  Summary:
    Revision    Changes     Path
    1.2         +19 -18     openpkg-web/security/OpenPKG-SA-2003.001-png.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.001-png.txt
  ============================================================================
  $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.001-png.txt
  --- openpkg-web/security/OpenPKG-SA-2003.001-png.txt  15 Jan 2003 14:52:14 -0000     
 1.1
  +++ openpkg-web/security/OpenPKG-SA-2003.001-png.txt  15 Jan 2003 15:19:01 -0000     
 1.2
  @@ -25,25 +25,24 @@
   
   Description:
     According to a Debian security advisory based on hints from Glenn
  -  Randers-Pehrson [7], a buffer overflow vulnerability exists in the
  -  Portable Network Graphics (PNG) library libpng [0] in connection with
  +  Randers-Pehrson [0], a buffer overflow vulnerability exists in the
  +  Portable Network Graphics (PNG) library libpng [1] in connection with
     16-bit samples. The starting offsets for the loops are calculated
  -  incorrectly which causes a buffer overrun beyond the beginning of the
  +  incorrectly which may cause a buffer overrun beyond the beginning of the
     row buffer. The Common Vulnerabilities and Exposures (CVE) project
  -  assigned the id CAN-2002-1363 [8] to the problem.
  +  assigned the id CAN-2002-1363 [2] to the problem.
   
     Please check whether you are affected by running "<prefix>/bin/rpm
     -qa png". If you have the "png" package installed and its version
     is affected (see above), we recommend that you immediately upgrade
  -  it (see Solution). Additionally, we recommend that you rebuild and
  -  reinstall all dependent OpenPKG packages, too. [2]
  +  it (see Solution) and it's dependent packages (see above), too. [3][4]
   
   Solution:
     Select the updated source RPM appropriate for your OpenPKG release
  -  [5][6], fetch it from the OpenPKG FTP service [3][4] or a mirror
  -  location, verify its integrity [1], build a corresponding binary RPM
  -  from it and update your OpenPKG installation by applying the binary
  -  RPM [2]. For the current release OpenPKG 1.1, perform the following
  +  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  +  location, verify its integrity [9], build a corresponding binary RPM
  +  from it [3] and update your OpenPKG installation by applying the binary
  +  RPM [4]. For the current release OpenPKG 1.1, perform the following
     operations to permanently fix the security problem (for other releases
     adjust accordingly).
   
  @@ -57,19 +56,21 @@
     $ su -
     # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/png-1.2.4-1.1.1.*.rpm
   
  -  Then rebuild all dependent OpenPKG packages.
  +  Additionally, we recommend that you rebuild and
  +  reinstall all dependent OpenPKG packages, too. [3][4]
   ________________________________________________________________________
   
   References:
  -  [0] http://www.libpng.org/
  -  [1] http://www.openpkg.org/security.html#signature
  -  [2] http://www.openpkg.org/tutorial.html#regular-source
  -  [3] ftp://ftp.openpkg.org/release/1.0/UPD/
  -  [4] ftp://ftp.openpkg.org/release/1.1/UPD/
  +  [0] http://www.debian.org/security/2002/dsa-213
  +  [1] http://www.libpng.org/
  +  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
  +  [3] http://www.openpkg.org/tutorial.html#regular-source
  +  [4] http://www.openpkg.org/tutorial.html#regular-binary
     [5] ftp://ftp.openpkg.org/release/1.0/UPD/png-1.2.0-1.0.1.src.rpm
     [6] ftp://ftp.openpkg.org/release/1.1/UPD/png-1.2.4-1.1.1.src.rpm
  -  [7] http://www.debian.org/security/2002/dsa-213
  -  [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
  +  [7] ftp://ftp.openpkg.org/release/1.0/UPD/
  +  [8] ftp://ftp.openpkg.org/release/1.1/UPD/
  +  [9] http://www.openpkg.org/security.html#signature
   ________________________________________________________________________
   
   For security reasons, this advisory was digitally signed with
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]