Luca: Based on the announcement at libpng and others, we should probably consider updating our version of libpng to the recently released v1.2.4
Based on what I've read - but there isn't much info - I don't THINK we're vulnerable - it's more that a bad-guy server could kill the browser, vs. a specific request to ntop causing ntop to send the bad-guy stuff, but better safe than sorry... And because this - like many others advisories, will become a checklist item! Any comments? Thoughts? Ideas? Gang?? -----Burton References: http://lwn.net/Alerts/5008/: "The 1.2.4* and 1.0.14 releases of libpng solve a potential buffer overflow vulnerability[1] in some functions related to progressive image loading. Programs such as mozilla and various others use these functions. An attacker could exploit this to remotely run arbitrary code or crash an application by using a specially crafted png image." http://www.libpng.org/pub/png/pngnews.html: 8 July 2002 - libpng 1.2.4 and 1.0.14 are released. These versions plug some memory leaks and eliminate a buffer-overflow vulnerability that could be triggered by too-large zlib streams. (This is completely unrelated to the zlib-specific vulnerability described in the 11 March 2002 entry below.) ftp://swrinde.nde.swri.edu/pub/png-group/archives/png-list.200207 __________________________________________________ D O T E A S Y - "Join the web hosting revolution!" http://www.doteasy.com _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop
