OpenPKG Security Advisory OpenPKG-SA-2006.036 - As confirmed by the vendor, a Denial of Service (DoS) vulnerability exists in the PNG image format library libpng, versions 1.0.6 through 1.2.12 and 1.0.20. The bug is in the decoder for the sPLT ("suggested palette") chunk and can lead to crashes and, accordingly, a DoS, when an application using libpng for PNG processing displays a specially crafted PNG image.
07ff912f411260cf3c683d58e776be099366e83f76133ec9493ca3063f3204be
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory OpenPKG GmbH
http://openpkg.org/security/ http://openpkg.com
OpenPKG-SA-2006.036 2006-11-17
________________________________________________________________________
Package: png
Vulnerability: denial of service
OpenPKG Specific: no
Affected Series: Affected Packages: Corrected Packages:
E1.0-SOLID <= png-1.2.12-E1.0.0 >= png-1.2.12-E1.0.1
2-STABLE-20061018 <= png-1.2.12-2.20061018 >= png-1.2.13-2.20061116
2-STABLE <= png-1.2.12-2.20061018 >= png-1.2.13-2.20061116
CURRENT <= png-1.2.12-20061012 >= png-1.2.13-20061116
Description:
As confirmed by the vendor, a Denial of Service (DoS) vulnerability
exists in the PNG [0] image format library libpng [1], versions 1.0.6
through 1.2.12 and 1.0.20. The bug is in the decoder for the sPLT
("suggested palette") chunk and can lead to crashes and, accordingly,
a DoS, when an application using libpng for PNG processing displays a
specially crafted PNG image. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CVE-2006-5793 [2] to the problem.
________________________________________________________________________
References:
[0] http://www.libpng.org/pub/png/
[1] http://www.libpng.org/pub/png/libpng.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>
iD8DBQFFXXaWgHWT4GPEy58RAhKOAJwMnHAAuITUWPEiMFaGMiBK9DattACeKq+J
T9O+2CcdG0iwbDjXV1/Sl40=
=6FRk
-----END PGP SIGNATURE-----