LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-06-2004, 03:51 AM   #1
rgiggs
Member
 
Registered: Apr 2004
Location: berkeley, ca
Distribution: slk10, winxp
Posts: 313

Rep: Reputation: 30
libpng flaw


hi,
a few security flaws have been discovered in the libpng. i'm waiting for slackware to release update package. do they even do that? if so, usually how long does it take the slackware team to release it?
thanks.
 
Old 08-06-2004, 04:11 AM   #2
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 243Reputation: 243Reputation: 243
Quote:
Steve Grubb discovered a out of bounds memory access flaw in libpng. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. This issue may not be used to execute arbitrary code.
Don't worry, it is not an urgent security problem, all the bad thing that it may cause is crash an application when open a bad png file.
 
Old 08-06-2004, 04:21 AM   #3
rgiggs
Member
 
Registered: Apr 2004
Location: berkeley, ca
Distribution: slk10, winxp
Posts: 313

Original Poster
Rep: Reputation: 30
i'm talking about this article http://news.com.com/Image+flaw+pierc...?tag=nefd.top, which says, "The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image."
 
Old 08-06-2004, 04:52 AM   #4
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 243Reputation: 243Reputation: 243
I read the original report and re-read it again, for my part, the worst thing it can do on my system is crashes mozilla

But maybe this security flaw is more important for web hosting that let user upload png files, or sites that use dynamic png files creation by php with libpng support...
 
Old 08-06-2004, 04:57 AM   #5
MobyTurbo
Member
 
Registered: May 2002
Location: Brooklyn, NY
Distribution: Slackware
Posts: 45

Rep: Reputation: 15
The update will be announced in the slackware-security mailing list, who's archives are available on slackware.com. You can download updates to your system in the "patches" directory on Slackware ftp mirrors, or just click on the URLs in the announcement, if I recall correctly.

Perhaps Patrick (the founder and maintainer of Slackware) is waiting for the official release of the next version of libpng rather than backporting the fix or sending out a release-candidate. I wouldn't be overly concerned though, he has released security fixes for libpng before, so I assume he will again. He tends to be prompt about it which is why I figure these things could be holding it up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
libpng and libpng-devel missing in mplayer configure mmarkvillanueva Linux - Software 2 11-29-2005 11:40 PM
Flaw in kernel 2.4.26 gstasica Linux - General 3 07-16-2004 04:27 PM
Updates/Flaw KooPA Linux - Security 5 04-27-2004 10:35 AM
MPlayer install problems with libpng & libpng-devel Trey2501 Linux - Newbie 18 03-06-2004 12:24 AM
a flaw is just a flaw jamaso General 1 03-25-2003 07:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration