Hi all,
This flaw in libpng was reported on February 15th. It involves an integer overflow which can be exploited through the browser if a hacker uses malformed images on a website and such images can also be sent through e-mail.
It appears there are a couple of approaches to fixing this problem. Mozilla has already issued a fix for Firefox 10 as announced in this article: http://www.internetnews.com/blog/skerne ... -flaw.html whereas Debian has issued an update for libpng http://www.debian.org/security/2012/dsa-2410 which in my thinking gets at the root of the problem, because it did not issue an update for its IceWeasel (Firefox) browser.
So, I am wondering to what extent this affects Puppy and whether Debian's libpng fix could be ported to Puppy.
Here is a screenshot from my Wary desktop which shows that libpng is used in a lot of places.
Monsie
libpng security advisory
libpng security advisory
- Attachments
-
- libpngsearch.jpg
- (168.51 KiB) Downloaded 392 times
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Yes, /usr/lib/libpng12.so.0.44.0 needs replacing with the later version. Some versions may use libpng12.so.0.42.0 which also needs updating.
If you visit a malicious website which serves a specially crafted .png file ( or open such a file in an email attachment) it will crash your system. That seems to be all there is to it.
If you visit a malicious website which serves a specially crafted .png file ( or open such a file in an email attachment) it will crash your system. That seems to be all there is to it.
[b]Classic Opera 12.16 browser SFS package[/b] for Precise, Slacko, Racy, Wary, Lucid, etc available[url=http://terryphillips.org.uk/operasfs.htm]here[/url] :)
libpng security advisory
Thanks Terryphi for the additional information. This prompted me to do some more research, and I found the latest details at: http://www.libpng.org/pub/png/libpng.html as well as links for downloading the source code regarding the newest patch which if I understand the number system correctly would be libpng.1.2.47 This version was just released yesterday (Feb. 18th).
That said, I'm wondering about protocol. For releases such as Wary and Racy, is it up to Barry to compile the source code and release it, or can someone in the Puppy Community do so and submit it for Barry's approval?
Monsie
That said, I'm wondering about protocol. For releases such as Wary and Racy, is it up to Barry to compile the source code and release it, or can someone in the Puppy Community do so and submit it for Barry's approval?
Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
The latest Slacko RC2 has both seamonkey-2.7.2 with the fix compiled against libpng-14.
Puppy Linux Blog - contact me for access
More from Linux Security and H-Online..