| Description: | Description:
The remote host is missing an update to libpng10
announced via advisory FEDORA-2008-3683.
Update Information:
This update fixes the way that libpng10 handles unknown zero-length chunks,
which in previous versions could result in writing to attacker controlled
addresses, depending on how the libpng api is used. To be affected, an
application would have to call png_set_keep_unknown_chunks(), which tells libpng
not to ignore unknown chunks, but to do something with them. The PNG spec
allows for unknown chunks, which are ignored by default, but an application
could in theory embed some sort of extra data in a png image, then later get it
back out via this mechanism. No packages in Fedora are believed to be
affected by this issue, but it's possible that third-party applications could
be.
ChangeLog:
* Fri May 9 2008 Paul Howarth 1.0.37-1
- update to 1.0.37
- autotools patch no longer needed
- explicitly specify the library filename in %files as a consistency check
References:
[ 1 ] Bug #441839 - CVE-2008-1382 libpng unknown chunk handling flaw
https://bugzilla.redhat.com/show_bug.cgi?id=441839
Solution: Apply the appropriate updates.
This update can be installed with the yum update program. Use
su -c 'yum update libpng10' at the command line.
For more information, refer to Managing Software with yum,
available at http://docs.fedoraproject.org/yum/.
http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2008-3683
Risk factor : High
CVSS Score:
7.5
|
