CVSS Base Vector:
Check for the Version of libpng
libpng on Mandriva Linux 2008.0,
Mandriva Linux 2008.0/X86_64,
Mandriva Linux 2009.0,
Mandriva Linux 2009.0/X86_64,
Mandriva Linux 2009.1,
Mandriva Linux 2009.1/X86_64,
Mandriva Linux 2010.0,
Mandriva Linux 2010.0/X86_64,
Mandriva Enterprise Server 5,
Mandriva Enterprise Server 5/X86_64
Multiple vulnerabilities has been found and corrected in libpng:
Memory leak in the png_handle_tEXt function in pngrutil.c in libpng
before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers
to cause a denial of service (memory exhaustion) via a crafted PNG file
Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x
before 1.4.3, as used in progressive applications, might allow remote
attackers to execute arbitrary code via a PNG image that triggers an
additional data row (CVE-2010-1205).
Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before
1.4.3, allows remote attackers to cause a denial of service (memory
consumption and application crash) via a PNG image containing malformed
Physical Scale (aka sCAL) chunks (CVE-2010-2249).
As a precaution htmldoc has been rebuilt to link against the
system libpng library for CS4 and 2008.0. Latest xulrunner and
mozilla-thunderbird has been patched as a precaution for 2008.0 wheres
on 2009.0 and up the the system libpng library is used instead of the
bundled copy. htmldoc, xulrunner and mozilla-thunderbird Linux Distribution Packages is
therefore also being provided with this advisory.
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
The updated Linux Distribution Packages have been patched to correct these issues.
Please Install the Updated Packages.
Linux Distribution Package
NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)