On 2/26/2012 3:02 AM, marco atzeri wrote: > All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and > 1.0.56, respectively, fail to correctly validate a heap allocation in > png_decompress_chunk(), which can lead to a buffer-overrun and the > possibility of execution of hostile code on 32-bit systems. This serious > vulnerability has been assigned ID CVE-2011-3026 and is fixed in version > 1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the > older branches), released 18 February 2012.
Thanks. I'll update soon, and probably release a 1.5 package as well. -- Chuck
