LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   libpng flaw (https://www.linuxquestions.org/questions/slackware-14/libpng-flaw-214126/)

rgiggs 08-06-2004 03:51 AM

libpng flaw
 
hi,
a few security flaws have been discovered in the libpng. i'm waiting for slackware to release update package. do they even do that? if so, usually how long does it take the slackware team to release it?
thanks.

Cedrik 08-06-2004 04:11 AM

Quote:

Steve Grubb discovered a out of bounds memory access flaw in libpng. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. This issue may not be used to execute arbitrary code.
Don't worry, it is not an urgent security problem, all the bad thing that it may cause is crash an application when open a bad png file.

rgiggs 08-06-2004 04:21 AM

i'm talking about this article http://news.com.com/Image+flaw+pierc...?tag=nefd.top, which says, "The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image."

Cedrik 08-06-2004 04:52 AM

I read the original report and re-read it again, for my part, the worst thing it can do on my system is crashes mozilla ;)

But maybe this security flaw is more important for web hosting that let user upload png files, or sites that use dynamic png files creation by php with libpng support...

MobyTurbo 08-06-2004 04:57 AM

The update will be announced in the slackware-security mailing list, who's archives are available on slackware.com. You can download updates to your system in the "patches" directory on Slackware ftp mirrors, or just click on the URLs in the announcement, if I recall correctly.

Perhaps Patrick (the founder and maintainer of Slackware) is waiting for the official release of the next version of libpng rather than backporting the fix or sending out a release-candidate. I wouldn't be overly concerned though, he has released security fixes for libpng before, so I assume he will again. He tends to be prompt about it which is why I figure these things could be holding it up.


All times are GMT -5. The time now is 05:43 PM.