On Sat, Oct 04, 2008 at 06:02:55PM +1000, Steffen Joeris wrote: >Package: libpng >Severity: important >Tags: security, patch > >Hi, >the following CVE (Common Vulnerabilities & Exposures) id was >published for libpng. > >CVE-2008-3964[0]: >| Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 >| before 1.4.0beta34, allow context-dependent attackers to cause a >| denial of service (crash) or have unspecified other impact via a PNG >| image with crafted zTXt chunks, related to (1) the png_push_read_zTXt >| function in pngread.c, and possibly related to (2) pngtest.c. > >As discussed via private email before, the patch is: > >-#define PNG_tIME_STRING_LENGTH 30 >+#define PNG_tIME_STRING_LENGTH 29 > >Please ask for a freeze exception for lenny. > >If you fix the vulnerability please also make sure to include the >CVE id in your changelog entry. > >Cheers >Steffen > >For further information see: > >[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964 > http://security-tracker.debian.net/tracker/CVE-2008-3964
See also further information at the following link: http://sourceforge.net/mailarchive/forum.php?thread_name=092320081007.7752.48D8BFCF0006F51D00001E4822070009539F9D02020A0409%40comcast.net&forum_name=png-mng-implement >Re: [png-mng-implement] off-by-one error(s) in libpng >From: <[EMAIL PROTECTED]> - 2008-09-23 10:07 >-------------- Original message ---------------------- >From: "Glenn Randers-Pehrson" <[EMAIL PROTECTED]> >>On Tue, Sep 9, 2008 at 9:47 AM, Steffen Joeris >><[EMAIL PROTECTED]> wrote: >>>Hi >>> >>>(Since my email to [EMAIL PROTECTED] bounces, I am sending it to the >>>list :) ). >>> >>>I am trying to check libpng in debian. >>>I've read this announcement[0] and believe that the fix for >>>pngpread.c is >>>included in the current lenny version in debian, so I guess it must >>>have been >>>introduced after 1.2.27. However, I am trying to determine the patch >>>for >>>pngtest.c. Is it just this line: >>> >>>-#define PNG_tIME_STRING_LENGTH 30 >>>+#define PNG_tIME_STRING_LENGTH 29 >> >>Yes, that's it. > >Oops-la, there's also this, to make the string actually fit in 29 bytes: > >-static char tIME_string[PNG_tIME_STRING_LENGTH] = "no tIME chunk present in >file"; >+static char tIME_string[PNG_tIME_STRING_LENGTH] = "tIME chunk is not present"; > >Glenn
signature.asc
Description: Digital signature
