This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [SECURITY] libpng vulnerabilities

From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
To: Mailing List: CygWin-Apps <cygwin-apps at cygwin dot com>
Date: Mon, 27 Feb 2012 10:27:43 -0500
Subject: Re: [SECURITY] libpng vulnerabilities
References: <4F49E71A.9010006@gmail.com>
Reply-to: Charles Wilson <cygwin at cwilson dot fastmail dot fm>

On 2/26/2012 3:02 AM, marco atzeri wrote:
> All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and
> 1.0.56, respectively, fail to correctly validate a heap allocation in
> png_decompress_chunk(), which can lead to a buffer-overrun and the
> possibility of execution of hostile code on 32-bit systems. This serious
> vulnerability has been assigned ID CVE-2011-3026 and is fixed in version
> 1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the
> older branches), released 18 February 2012.

Thanks. I'll update soon, and probably release a 1.5 package as well.

--
Chuck

References:
- [SECURITY] libpng vulnerabilities
  - From: marco atzeri

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]