This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [SECURITY] libpng vulnerabilities


On 2012-03-29 19:00, Yaakov (Cygwin/X) wrote:
On 2012-02-26 02:02, marco atzeri wrote:
Vulnerability Warning

All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and
1.0.56, respectively, fail to correctly validate a heap allocation in
png_decompress_chunk(), which can lead to a buffer-overrun and the
possibility of execution of hostile code on 32-bit systems. This serious
vulnerability has been assigned ID CVE-2011-3026 and is fixed in version
1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the
older branches), released 18 February 2012.

Now there's YA one, CVE-2011-3048, fixed in 1.5.10, 1.4.11, 1.2.49, and 1.0.59.

Chuck,


I have sent notices of multiple security vulnerabilities in libpng going back LAST JULY, with several additions and pings (no pun intended) since. Can we *please* see some sign that you are still maintaining these packages?


Yaakov



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]