Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Security Update: [CSSA-2002-042.0] Linux: libpng progressive image loading vulnerabilities and other buffer overflows
From: security () caldera com
Date: Tue, 12 Nov 2002 13:45:18 -0800

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure () 
lists netsys com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: libpng progressive image loading vulnerabilities and other buffer overflows
Advisory number:        CSSA-2002-042.0
Issue date:             2002 November 12
Cross reference:
______________________________________________________________________________


1. Problem Description

        There are two buffer overflow vulnerabilities in the libpng code:
        one of which can allow attackers to cause a denial of service,
        and the other that can cause a denial of service with the
        possibility of executing arbitrary code.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to libpng-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-static-1.0.15-5MR.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to libpng-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-static-1.0.15-5MR.i386.rpm

        OpenLinux 3.1 Server            prior to libpng-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-static-1.0.15-5MR.i386.rpm

        OpenLinux 3.1 Workstation       prior to libpng-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-1.0.15-5MR.i386.rpm
                                        prior to libpng-devel-static-1.0.15-5MR.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-042.0/RPMS

        4.2 Packages

        93221732f6fcd8d2a06082d68ce460e2        libpng-1.0.15-5MR.i386.rpm
        98fb336313cdd6e4b5e0d2e80f0e6de5        libpng-devel-1.0.15-5MR.i386.rpm
        c474133b01b1f7f39d65fd017635e109        libpng-devel-static-1.0.15-5MR.i386.rpm

        4.3 Installation

        rpm -Fvh libpng-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-042.0/SRPMS

        4.5 Source Packages

        512eda0dec68d56065b515ecd540f585        libpng-1.0.15-5MR.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-042.0/RPMS

        5.2 Packages

        f92a046d343a7f174b4912e3be8e6e5b        libpng-1.0.15-5MR.i386.rpm
        0106b36eb2d7d6469f04e43b2752ebfa        libpng-devel-1.0.15-5MR.i386.rpm
        b036341f4c3db77dd44c071aa863781c        libpng-devel-static-1.0.15-5MR.i386.rpm

        5.3 Installation

        rpm -Fvh libpng-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-042.0/SRPMS

        5.5 Source Packages

        95fa381705ae3d28b971d3f96592ec73        libpng-1.0.15-5MR.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-042.0/RPMS

        6.2 Packages

        112edf2530cc5df8a1c54f18a26b5b41        libpng-1.0.15-5MR.i386.rpm
        8fe1bf881e31e38c34100569b52a5213        libpng-devel-1.0.15-5MR.i386.rpm
        411476fc864656d877b43d695f7cc789        libpng-devel-static-1.0.15-5MR.i386.rpm

        6.3 Installation

        rpm -Fvh libpng-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-042.0/SRPMS

        6.5 Source Packages

        d8fb9343ec9a91e36fbd0375e478a5a2        libpng-1.0.15-5MR.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-042.0/RPMS

        7.2 Packages

        450c615089d6ee0af856574111dfb074        libpng-1.0.15-5MR.i386.rpm
        e160fd394b9a116fa68e7cdffd8d6dec        libpng-devel-1.0.15-5MR.i386.rpm
        28543b8410403f28a1dc8949cf82eb2f        libpng-devel-static-1.0.15-5MR.i386.rpm

        7.3 Installation

        rpm -Fvh libpng-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-1.0.15-5MR.i386.rpm
        rpm -Fvh libpng-devel-static-1.0.15-5MR.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-042.0/SRPMS

        7.5 Source Packages

        29579bd08c919cd5de11acbc11026e21        libpng-1.0.15-5MR.src.rpm


8. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0728
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0660
                ftp://swrinde.nde.swri.edu/pub/png-group/archives/png-list.200207

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr867868, fz525853,
        erg712105.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.

______________________________________________________________________________

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2002-042.0] Linux: libpng progressive image loading vulnerabilities and other buffer overflows security (Nov 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault