Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Gentoo 272970
--- Comment #1 from Tomas Hoger thoger@redhat.com 2009-06-09 08:43:02 EDT --- Upstream page - http://www.libpng.org/pub/png/libpng.html - contains a rather confusing vulnerability warning:
Vulnerability Warning
Jeff Phillips reported that several versions of libpng through 1.2.35 contain an uninitialized-memory-read bug that may have security implications. Specifically, 1-bit (2-color) interlaced images whose widths are not divisible by 8 may result in several uninitialized bits at the end of certain rows in certain interlace passes being returned to the user. An application that failed to mask these out-of-bounds pixels might display or process them, albeit presumably with benign results in most cases. This bug may be fixed in version 1.2.36, released 7 May 2009, but the correct fix is in version 1.2.37, released 4 June 2009.
Going though 1.2.35 -> 1.2.36 and 1.2.36 -> 1.2.37 diffs, this probably refers to the following changes:
Changes in 1.2.36: +version 1.2.36beta02 [March 21, 2009] + Use png_memset() after png_malloc() of big_row_buf when reading an + interlaced file, to avoid a possible UMR.
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=85f...
Changes in 1.2.37: +version 1.2.37beta01 [May 12, 2009] + Fixed inconsistency in pngrutil.c, introduced in libpng-1.2.36. The + memset() was using "png_ptr->rowbytes" instead of "row_bytes", which + the corresponding png_malloc() uses (Joe Drew).
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=549...