__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Updated "libpng" Packages Fix Security Issue [RHSA-2004:249-07] June 18, 2004 16:00 GMT Number O-165 [REVISED 4 Aug 2004] [REVISED 6 Aug 2004] [REVISED 10 Aug 2004] [REVISED 18 Aug 2004] ______________________________________________________________________________ PROBLEM: The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. There is a possible buffer overflow security issue in libpng. PLATFORM: Red Hat Desktop (v.3) Red Hat Enterprise Linux AS, ES, and WS (v.3) Red Hat Enterprise Linux AS, ES, and WS (v.2.1) SGI Linux Environment 3 Debian GNU/Linux 3.0 (woody) Mac OS X 10.3.4 and Mac OS X 10.2.8 DAMAGE: An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code when opened by a victim. SOLUTION: Upgrade to the appropriate package. ______________________________________________________________________________ VULNERABILITY The risk is LOW. An attacker could cause a denial or service or ASSESSMENT: execute arbitrary code when opened by a victim. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-165.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-249.html ADDITIONAL LINKS: - Red Hat - RHSA-2204:402-08 https://rhn.redhat.com/errata/RHSA-2004-402.html - SGI - #20040606-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20040606-01-U.asc - SGI - #20040803-01-U http://www.sgi.com/support/security/advisories.html - Debian: DSA 536-1 http://www.debian.org/security/2004/dsa-536 - Apple Security Update 2004-08-09 http://docs.info.apple.com/article.html?artnum=61798 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2002-1363 ______________________________________________________________________________ REVISION HISTORY: 08/04/2004 - Added links to Red Hat RHSA-2204-08 and SGI #20040606-01-U advisories. 08/06/2004 - Added link to Debian DSA-536. 08/10/2004 - Added link to Apple Security Updates. 08/18/2004 - Added a link to SGI Security Advisory 20040803-01-U Update #24 for SGI ProPack v2.4. [***** Start RHSA-2004:249-07 *****] Updated libpng packages fix security issue Advisory: RHSA-2004:249-07 Last updated on: 2004-06-18 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2002-1363 Security Advisory Details: Updated libpng packages that fix a possible buffer overflow are now available. The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During an audit of Red Hat Linux updates, the Fedora Legacy team found a security issue in libpng that had not been fixed in Red Hat Enterprise Linux 3. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code when opened by a victim. Note: this issue does not affect Red Hat Enterprise Linux 2.1 Users are advised to upgrade to these updated packages that contain a backported security fix and are not vulnerable to this issue. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: libpng-1.2.2-24.x86_64.rpm 56f6e9b47b537fe124b9ed874c379bcc libpng-devel-1.2.2-24.x86_64.rpm 36c04c69972678f7279991cbf49763ad libpng10-1.0.13-14.x86_64.rpm 8b12075058f65c087e97f88f9d63e027 libpng10-devel-1.0.13-14.x86_64.rpm 14dd5f536db290d29895252af5a38b5e SRPMS: libpng-1.2.2-24.src.rpm 955bd34890b25d65120f30250a75d2fb libpng10-1.0.13-14.src.rpm 4959b14e2264df985dacfac43e24df40 i386: libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da libpng-devel-1.2.2-24.i386.rpm 80f1c12114bf5648ccf56c270a3dcd5e libpng10-1.0.13-14.i386.rpm 645136e04ec539eabf6c9f8106f62f47 libpng10-devel-1.0.13-14.i386.rpm d42c29c9604d0b2db4af78f5875bb468 libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: libpng-1.2.2-24.x86_64.rpm 56f6e9b47b537fe124b9ed874c379bcc libpng-devel-1.2.2-24.x86_64.rpm 36c04c69972678f7279991cbf49763ad libpng10-1.0.13-14.x86_64.rpm 8b12075058f65c087e97f88f9d63e027 libpng10-devel-1.0.13-14.x86_64.rpm 14dd5f536db290d29895252af5a38b5e SRPMS: libpng-1.2.2-24.src.rpm 955bd34890b25d65120f30250a75d2fb libpng10-1.0.13-14.src.rpm 4959b14e2264df985dacfac43e24df40 i386: libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da libpng-devel-1.2.2-24.i386.rpm 80f1c12114bf5648ccf56c270a3dcd5e libpng10-1.0.13-14.i386.rpm 645136e04ec539eabf6c9f8106f62f47 libpng10-devel-1.0.13-14.i386.rpm d42c29c9604d0b2db4af78f5875bb468 libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da ia64: libpng-1.2.2-24.ia64.rpm 4c046aafa3cc058427ca2ffe3df4374c libpng-devel-1.2.2-24.ia64.rpm cd5181aeae289c6446d4458071c18d2c libpng10-1.0.13-14.ia64.rpm 5168760faafc399c90958c60412ce516 libpng10-devel-1.0.13-14.ia64.rpm fe4a1b47268982804c2068ba6158c8d2 ppc: libpng-1.2.2-24.ppc.rpm 3f9f8f07958ccdbdae1dd5658d1f660d libpng-devel-1.2.2-24.ppc.rpm 935fbe2f7afb316145a9d3ec738718be libpng10-1.0.13-14.ppc.rpm 03469eece5ab2c757fce148964438f8a libpng10-devel-1.0.13-14.ppc.rpm 882bd95074aba728c10e1b44f96a4de4 ppc64: libpng-1.2.2-24.ppc64.rpm a28f7104fa22ffba7c9c972721726efa libpng-devel-1.2.2-24.ppc64.rpm 5d557d5ecc04f15ad45007ded47c7b22 s390: libpng-1.2.2-24.s390.rpm 99edb05b88fa05393594006cde3605a9 libpng-devel-1.2.2-24.s390.rpm 2a8b05e84202c872c84852b143480a98 libpng10-1.0.13-14.s390.rpm ee7bce6430e786d94ffb598f1f0cc842 libpng10-devel-1.0.13-14.s390.rpm 6d8ca64a3f82caa142ceae5be4a36817 libpng-1.2.2-24.s390.rpm 99edb05b88fa05393594006cde3605a9 s390x: libpng-1.2.2-24.s390x.rpm 3b5305cb0962ffd7d1a7472f8416efc1 libpng-devel-1.2.2-24.s390x.rpm 294c94237c1caa1e3f7c71b21091c7c5 libpng10-1.0.13-14.s390x.rpm a3a639aceb65debb84ced820828611ed libpng10-devel-1.0.13-14.s390x.rpm 34ab7cea51cf9f6b644787a746bf5726 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: libpng-1.2.2-24.x86_64.rpm 56f6e9b47b537fe124b9ed874c379bcc libpng-devel-1.2.2-24.x86_64.rpm 36c04c69972678f7279991cbf49763ad libpng10-1.0.13-14.x86_64.rpm 8b12075058f65c087e97f88f9d63e027 libpng10-devel-1.0.13-14.x86_64.rpm 14dd5f536db290d29895252af5a38b5e SRPMS: libpng-1.2.2-24.src.rpm 955bd34890b25d65120f30250a75d2fb libpng10-1.0.13-14.src.rpm 4959b14e2264df985dacfac43e24df40 i386: libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da libpng-devel-1.2.2-24.i386.rpm 80f1c12114bf5648ccf56c270a3dcd5e libpng10-1.0.13-14.i386.rpm 645136e04ec539eabf6c9f8106f62f47 libpng10-devel-1.0.13-14.i386.rpm d42c29c9604d0b2db4af78f5875bb468 libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da ia64: libpng-1.2.2-24.ia64.rpm 4c046aafa3cc058427ca2ffe3df4374c libpng-devel-1.2.2-24.ia64.rpm cd5181aeae289c6446d4458071c18d2c libpng10-1.0.13-14.ia64.rpm 5168760faafc399c90958c60412ce516 libpng10-devel-1.0.13-14.ia64.rpm fe4a1b47268982804c2068ba6158c8d2 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: libpng-1.2.2-24.x86_64.rpm 56f6e9b47b537fe124b9ed874c379bcc libpng-devel-1.2.2-24.x86_64.rpm 36c04c69972678f7279991cbf49763ad libpng10-1.0.13-14.x86_64.rpm 8b12075058f65c087e97f88f9d63e027 libpng10-devel-1.0.13-14.x86_64.rpm 14dd5f536db290d29895252af5a38b5e SRPMS: libpng-1.2.2-24.src.rpm 955bd34890b25d65120f30250a75d2fb libpng10-1.0.13-14.src.rpm 4959b14e2264df985dacfac43e24df40 i386: libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da libpng-devel-1.2.2-24.i386.rpm 80f1c12114bf5648ccf56c270a3dcd5e libpng10-1.0.13-14.i386.rpm 645136e04ec539eabf6c9f8106f62f47 libpng10-devel-1.0.13-14.i386.rpm d42c29c9604d0b2db4af78f5875bb468 libpng-1.2.2-24.i386.rpm af63ef937508fd3bc25bb54203e9d9da ia64: libpng-1.2.2-24.ia64.rpm 4c046aafa3cc058427ca2ffe3df4374c libpng-devel-1.2.2-24.ia64.rpm cd5181aeae289c6446d4458071c18d2c libpng10-1.0.13-14.ia64.rpm 5168760faafc399c90958c60412ce516 libpng10-devel-1.0.13-14.ia64.rpm fe4a1b47268982804c2068ba6158c8d2 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2004:249-07 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-155: Kerberos Buffer Overflow Vulnerability O-156: Multiple Vulnerabilities in CVS O-157: Cisco CatOS Telnet, HTTP and SSH Vulnerability O-158: FTP Client Improperly handles Pipe Character in File Names O-159: NETGEAR WG602 Wireless Access Point Default Backdoor Account Vulnerability O-160: Microsoft Windows 2000 Advanced Server Security Bypass O-161: RealPlayer Security Vulnerabilities O-162: Red Hat Updated Tripwire Packages Fix Security Flaw O-163: Cisco IOS Malformed BGP Packet Causes Reload O-164: Red Hat Updated Kernel Packages Fix Security Vulnerabilities