Hello community, here is the log from the commit of package libpng checked in at Fri Nov 24 16:15:44 CET 2006. -------- --- libpng/libpng.changes 2006-07-17 17:31:58.000000000 +0200 +++ /mounts/work_src_done/STABLE/STABLE/libpng/libpng.changes 2006-11-23 18:51:55.000000000 +0100 @@ -1,0 +2,5 @@ +Thu Nov 23 18:47:29 CET 2006 - nadvornik@suse.cz + +- fixed crash on malformed sPLT chunks CVE-2006-5793 [#219007] + +------------------------------------------------------------------- New: ---- libpng-1.2.12-sPLT-chunk-CVE-2006-5793.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libpng.spec ++++++ --- /var/tmp/diff_new_pack.mlqFrK/_old 2006-11-24 16:14:22.000000000 +0100 +++ /var/tmp/diff_new_pack.mlqFrK/_new 2006-11-24 16:14:22.000000000 +0100 @@ -16,11 +16,12 @@ URL: http://www.libpng.org/pub/png/libpng.html Autoreqprov: on Version: 1.2.12 -Release: 2 +Release: 21 Summary: Library for the Portable Network Graphics Format Source: libpng-%{version}.tar.bz2 Patch: libpng-%{version}-setjmp.dif Patch2: libpng-%{version}-no-assembler.patch +Patch3: libpng-%{version}-sPLT-chunk-CVE-2006-5793.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -51,6 +52,7 @@ %setup %patch %patch2 +%patch3 %build ./autogen.sh @@ -92,6 +94,8 @@ %{_libdir}/pkgconfig/*.pc %changelog -n libpng +* Thu Nov 23 2006 - nadvornik@suse.cz +- fixed crash on malformed sPLT chunks CVE-2006-5793 [#219007] * Mon Jul 17 2006 - nadvornik@suse.cz - make sure PNG_NO_ASSEMBLER_CODE is used consistently * Thu Jun 29 2006 - nadvornik@suse.cz @@ -151,7 +155,7 @@ - fix neededforbuild * Wed Jul 24 2002 - nadvornik@suse.cz - updated to 1.2.4: -- fixed buffer overflow in pngpread.c when IDAT is + - fixed buffer overflow in pngpread.c when IDAT is corrupted with extra data * Fri Jul 12 2002 - schwab@suse.de - Fix makefile. @@ -173,8 +177,8 @@ - used macros %%{_lib} and %%{_libdir} * Tue Dec 04 2001 - nadvornik@suse.cz - update to 1.2.0 -- shared library version changed to 3.1.2.0 -- new API for dynamically enabling and disabling certain optimizations + - shared library version changed to 3.1.2.0 + - new API for dynamically enabling and disabling certain optimizations - added Provides: libpng-devel for compatibility [bug #11978] * Tue Jul 17 2001 - nadvornik@suse.cz - update to 1.0.12 ++++++ libpng-1.2.12-sPLT-chunk-CVE-2006-5793.patch ++++++ diff -ur libpng-1.2.12/pngset.c libpng-1.2.13/pngset.c --- pngset.c 2006-06-28 05:22:34.000000000 +0900 +++ pngset.c 2006-11-15 21:51:26.000000000 +0900 @@ -976,10 +976,10 @@ /* TODO: use png_malloc_warn */ png_strcpy(to->name, from->name); to->entries = (png_sPLT_entryp)png_malloc(png_ptr, - from->nentries * png_sizeof(png_sPLT_t)); + from->nentries * png_sizeof(png_sPLT_entry)); /* TODO: use png_malloc_warn */ png_memcpy(to->entries, from->entries, - from->nentries * png_sizeof(png_sPLT_t)); + from->nentries * png_sizeof(png_sPLT_entry)); to->nentries = from->nentries; to->depth = from->depth; } @@ -1224,7 +1224,7 @@ } /* we're replacing the settable bits with those passed in by the user, - * so first zero them out of the master copy, then logical-OR in the + * so first zero them out of the master copy, then bitwise-OR in the * allowed subset that was requested */ png_ptr->asm_flags &= ~settable_asm_flags; /* zero them */ @@ -1256,6 +1256,7 @@ * rejected by png_set_IHDR(). To accept any PNG datastream * regardless of dimensions, set both limits to 0x7ffffffL. */ + if(png_ptr == NULL) return; png_ptr->user_width_max = user_width_max; png_ptr->user_height_max = user_height_max; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org