Date: Sat, 20 Sep 2008 03:21:52 GMT From: bf <bf2006a@yahoo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/127502: [PATCH]graphics/png: update to 1.2.32, which includes security fix Message-ID: <200809200321.m8K3Lqbu024520@www.freebsd.org> Resent-Message-ID: <200809200330.m8K3U1DY047294@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127502 >Category: ports >Synopsis: [PATCH]graphics/png: update to 1.2.32, which includes security fix >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat Sep 20 03:30:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: bf >Release: 7-STABLE i386 >Organization: - >Environment: >Description: Shortens tIME_string to 29 bytes in pngtest.c, and resolves: Name: CVE-2008-3964 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964 Phase: Assigned (20080909) Category: Reference: MLIST:[oss-security] 20080909 CVE request (libpng) Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/09/3 Reference: MLIST:[oss-security] 20080909 Re: CVE request (libpng) Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/09/8 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=624518 Reference: CONFIRM:http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624 Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c. >How-To-Repeat: >Fix: Patch attached with submission follows: diff -ruN png.orig/Makefile png/Makefile --- png.orig/Makefile 2008-09-19 07:10:25.361949152 -0400 +++ png/Makefile 2008-09-19 07:16:25.947495918 -0400 @@ -6,7 +6,7 @@ # PORTNAME= png -PORTVERSION= 1.2.31 +PORTVERSION= 1.2.32 CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= lib${PORTNAME} diff -ruN png.orig/distinfo png/distinfo --- png.orig/distinfo 2008-09-19 07:10:25.371953496 -0400 +++ png/distinfo 2008-09-19 07:16:25.947495918 -0400 @@ -1,3 +1,3 @@ -MD5 (libpng-1.2.31.tar.bz2) = 78d2f8c4e0d64f8948819563587302d3 -SHA256 (libpng-1.2.31.tar.bz2) = 24b354dcd8843274a20e1625e04d618d43f9851082254cb9dae6f33f15c2a5cd -SIZE (libpng-1.2.31.tar.bz2) = 625715 +MD5 (libpng-1.2.32.tar.bz2) = df4a20c6f24a6f642ae11c9a5a4ffa7f +SHA256 (libpng-1.2.32.tar.bz2) = 928cd5f6aa2ccce97125a3add90479b901df902f27cefbb2052b89d92e7d757f +SIZE (libpng-1.2.32.tar.bz2) = 639460 diff -ruN png.orig/files/patch-ab png/files/patch-ab --- png.orig/files/patch-ab 2008-09-19 07:10:25.361949152 -0400 +++ png/files/patch-ab 2008-09-19 07:16:25.937492412 -0400 @@ -12,7 +12,7 @@ Name: libpng Description: Loads and saves PNG files - Version: 1.2.31 + Version: 1.2.32 -Libs: -L${libdir} -lpng12 +Libs: -L${libdir} -lpng -lz -lm Cflags: -I${includedir} >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809200321.m8K3Lqbu024520>