Opened 5 years ago

Closed 5 years ago

#8715 closed enhancement (fixed)

libpng-1.6.27

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 8.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

Spotted in an lwn report of security fixes by Slackware: libpng-1.6.27. Not showing in the normal link to sourceforge, but the external home page http://www.libpng.org/pub/png/libpng.html points to [prdownloads.sourceforge.net/libpng/libpng-1.6.27.tar.xz/download] which worked for me (whether it works when editing the book is, of course, a different matter).

From the external home page:

Vulnerability Warning

Virtually all libpng versions through 1.6.26, 1.5.27, 1.4.19, 1.2.56, and 1.0.66, respectively, have a null-pointer-dereference bug in png_set_text_2() when an image-editing application adds, removes, and re-adds text chunks to a PNG image. (This bug does not affect pure viewers, nor are there any known editors that could trigger it without interactive user input. It has been assigned ID CVE-2016-10087.) The vulnerability is fixed in versions 1.6.27, 1.5.28, 1.4.20, 1.2.57, and 1.0.67, released on 29 December 2016.

Change History (4)

comment:1 by ken@…, 5 years ago

Owner: changed from blfs-book@… to ken@…
Priority: normalhigh
Status: newassigned

comment:2 by ken@…, 5 years ago

hmm, it is showing at http://libpng.sourceforge.net/ and it is indeed at https://sourceforge.net/projects/libpng/files/libpng16/ but it looks like the details of what is the latest version didn't get updated. I'll subscribe to their list.

comment:3 by ken@…, 5 years ago

Fixed in r18128.

comment:4 by ken@…, 5 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.