[OpenPKG-SA-2003.001] OpenPKG Security Advisory (png)

[OpenPKG <openpkg () openpkg org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security () openpkg org                         openpkg () openpkg org
OpenPKG-SA-2003.001                                          15-Jan-2003
________________________________________________________________________

Package:             png
Vulnerability:       buffer overflow vulnerability
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= png-1.2.5-20021003       >= png-1.2.5-20030115
OpenPKG 1.1          <= png-1.2.4-1.1.0          >= png-1.2.4-1.1.1
OpenPKG 1.0          <= png-1.2.0-1.0.0          >= png-1.2.0-1.0.1

Affected Releases:   Dependent Packages:
OpenPKG CURRENT      apache emacs gd gd1 gif2png gnuplot graphviz 
                     imagemagick libwmf netpbm perl-gd perl-tk pstoedit 
                     webalizer wml
OpenPKG 1.1          apache emacs gd gd1 gnuplot graphviz imagemagick 
                     perl-gd wml
OpenPKG 1.0          apache gd perl-gd

Description:
  According to a Debian security advisory based on hints from Glenn
  Randers-Pehrson [0], a buffer overflow vulnerability exists in the
  Portable Network Graphics (PNG) library libpng [1] in connection with
  16-bit samples. The starting offsets for the loops are calculated
  incorrectly which may cause a buffer overrun beyond the beginning of
  the row buffer. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2002-1363 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -qa png". If you have the "png" package installed and its version is
  affected (see above), we recommend that you immediately upgrade it
  (see Solution) and it's dependent packages (see above), if any, too.
  [3][4]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the current release OpenPKG 1.1, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.1/UPD
  ftp> get png-1.2.4-1.1.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig png-1.2.4-1.1.1.src.rpm
  $ <prefix>/bin/rpm --rebuild png-1.2.4-1.1.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/png-1.2.4-1.1.1.*.rpm

  Additionally, we recommend that you rebuild and reinstall
  all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________

References:
  [0] http://www.debian.org/security/2002/dsa-213
  [1] http://www.libpng.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/1.0/UPD/png-1.2.0-1.0.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/1.1/UPD/png-1.2.4-1.1.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/1.0/UPD/
  [8] ftp://ftp.openpkg.org/release/1.1/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>

iD8DBQE+JYCpgHWT4GPEy58RAk3eAJ9dG8BbE6BNmvWA2GOZuRNWL5lLZQCghoWd
P4HMyx1pxytvcak6xgBPRPM=
=Ulpx
-----END PGP SIGNATURE-----