Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 18 Dec 2014, 21:37
All times are UTC - 4
 Forum index » Off-Topic Area » Security
libpng security advisory
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [6 Posts]  
Author Message
Monsie


Joined: 01 Dec 2011
Posts: 633
Location: Kamloops BC Canada

PostPosted: Sat 18 Feb 2012, 17:19    Post subject:  libpng security advisory  

Hi all,

This flaw in libpng was reported on February 15th. It involves an integer overflow which can be exploited through the browser if a hacker uses malformed images on a website and such images can also be sent through e-mail.

It appears there are a couple of approaches to fixing this problem. Mozilla has already issued a fix for Firefox 10 as announced in this article: http://www.internetnews.com/blog/skerner/mozilla-releases-firefox-10.0.2-for-png-flaw.html whereas Debian has issued an update for libpng http://www.debian.org/security/2012/dsa-2410 which in my thinking gets at the root of the problem, because it did not issue an update for its IceWeasel (Firefox) browser.

So, I am wondering to what extent this affects Puppy and whether Debian's libpng fix could be ported to Puppy.

Here is a screenshot from my Wary desktop which shows that libpng is used in a lot of places.

Monsie
libpngsearch.jpg
Description 
jpg

 Download 
Filename  libpngsearch.jpg 
Filesize  168.51 KB 
Downloaded  256 Time(s) 

_________________
My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 763
Location: West Wales, Britain.

PostPosted: Sun 19 Feb 2012, 06:27    Post subject:  

Yes, /usr/lib/libpng12.so.0.44.0 needs replacing with the later version. Some versions may use libpng12.so.0.42.0 which also needs updating.

If you visit a malicious website which serves a specially crafted .png file ( or open such a file in an email attachment) it will crash your system. That seems to be all there is to it.

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
Monsie


Joined: 01 Dec 2011
Posts: 633
Location: Kamloops BC Canada

PostPosted: Sun 19 Feb 2012, 15:03    Post subject: libpng security advisory  

Thanks Terryphi for the additional information. This prompted me to do some more research, and I found the latest details at: http://www.libpng.org/pub/png/libpng.html as well as links for downloading the source code regarding the newest patch which if I understand the number system correctly would be libpng.1.2.47 This version was just released yesterday (Feb. 18th).

That said, I'm wondering about protocol. For releases such as Wary and Racy, is it up to Barry to compile the source code and release it, or can someone in the Puppy Community do so and submit it for Barry's approval?

Monsie

_________________
My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Back to top
View user's profile Send private message 
01micko


Joined: 11 Oct 2008
Posts: 7841
Location: qld

PostPosted: Sun 19 Feb 2012, 16:15    Post subject:  

The latest Slacko RC2 has both seamonkey-2.7.2 with the fix compiled against libpng-14.
_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
pemasu


Joined: 08 Jul 2009
Posts: 5465
Location: Finland

PostPosted: Sun 19 Feb 2012, 17:31    Post subject:  

I just picked the security updated libpng from squeeze security-update page. It had same libpng version number as the one I had. So...there wont be any conflicts with other libs.
The build is Dpup Exprimo.
Back to top
View user's profile Send private message 
Semme

Joined: 07 Aug 2011
Posts: 4129
Location: World_Hub

PostPosted: Mon 20 Feb 2012, 07:35    Post subject:  

More from Linux Security and H-Online..
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [6 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0533s ][ Queries: 12 (0.0052s) ][ GZIP on ]