head	1.6;
access;
symbols;
locks; strict;
comment	@# @;


1.6
date	2005.12.03.12.19.40;	author rse;	state Exp;
branches;
next	1.5;
commitid	qqpAOapyuzxSmacr;

1.5
date	2005.12.03.11.50.03;	author rse;	state Exp;
branches;
next	1.4;
commitid	irQCXvyd7wvJcacr;

1.4
date	2003.01.15.15.40.08;	author rse;	state Exp;
branches;
next	1.3;

1.3
date	2003.01.15.15.31.19;	author thl;	state Exp;
branches;
next	1.2;

1.2
date	2003.01.15.15.19.01;	author thl;	state Exp;
branches;
next	1.1;

1.1
date	2003.01.15.14.52.14;	author rse;	state Exp;
branches;
next	;


desc
@@


1.6
log
@resign after latest adjustments
@
text
@-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@@openpkg.org                         openpkg@@openpkg.org
OpenPKG-SA-2003.001                                          15-Jan-2003
________________________________________________________________________

Package:             png
Vulnerability:       buffer overflow vulnerability
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= png-1.2.5-20021003       >= png-1.2.5-20030115
OpenPKG 1.1          <= png-1.2.4-1.1.0          >= png-1.2.4-1.1.1
OpenPKG 1.0          <= png-1.2.0-1.0.0          >= png-1.2.0-1.0.1

Affected Releases:   Dependent Packages:
OpenPKG CURRENT      apache emacs gd gd1 gif2png gnuplot graphviz 
                     imagemagick libwmf netpbm perl-gd perl-tk pstoedit 
                     webalizer wml
OpenPKG 1.1          apache emacs gd gd1 gnuplot graphviz imagemagick 
                     perl-gd wml
OpenPKG 1.0          apache gd perl-gd

Description:
  According to a Debian security advisory based on hints from Glenn
  Randers-Pehrson [0], a buffer overflow vulnerability exists in the
  Portable Network Graphics (PNG) library libpng [1] in connection with
  16-bit samples. The starting offsets for the loops are calculated
  incorrectly which may cause a buffer overrun beyond the beginning of
  the row buffer. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CVE-2002-1363 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -qa png". If you have the "png" package installed and its version is
  affected (see above), we recommend that you immediately upgrade it
  (see Solution) and it's dependent packages (see above), if any, too.
  [3][4]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the current release OpenPKG 1.1, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.1/UPD
  ftp> get png-1.2.4-1.1.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig png-1.2.4-1.1.1.src.rpm
  $ <prefix>/bin/rpm --rebuild png-1.2.4-1.1.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/png-1.2.4-1.1.1.*.rpm

  Additionally, we recommend that you rebuild and reinstall
  all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________

References:
  [0] http://www.debian.org/security/2002/dsa-213
  [1] http://www.libpng.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1363
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/1.0/UPD/png-1.2.0-1.0.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/1.1/UPD/png-1.2.4-1.1.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/1.0/UPD/
  [8] ftp://ftp.openpkg.org/release/1.1/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@@openpkg.org>

iD8DBQFDkYykgHWT4GPEy58RAjPLAKDO3pOiG/LRa/w8+67HrZPUYncxbgCfVpzu
yZsBZxHMt7jl5lCPlZba1cY=
=IAJ2
-----END PGP SIGNATURE-----
@


1.5
log
@switch to newer world order of CVE instead of CAN and where no more solution hints are specified in detail and anybody should already memorize this standard text
@
text
@d92 3
a94 3
iD8DBQE+JYCpgHWT4GPEy58RAk3eAJ9dG8BbE6BNmvWA2GOZuRNWL5lLZQCghoWd
P4HMyx1pxytvcak6xgBPRPM=
=Ulpx
@


1.4
log
@finalize PNG SA
@
text
@d36 1
a36 1
  assigned the id CAN-2002-1363 [2] to the problem.
d70 1
a70 1
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
@


1.3
log
@polishing
@
text
@d1 3
d34 2
a35 2
  incorrectly which may cause a buffer overrun beyond the beginning of the
  row buffer. The Common Vulnerabilities and Exposures (CVE) project
d39 4
a42 4
  -qa png". If you have the "png" package installed and its version
  is affected (see above), we recommend that you immediately upgrade
  it (see Solution) and it's dependent packages (see above), if any,
  too. [3][4]
d48 4
a51 4
  from it [3] and update your OpenPKG installation by applying the binary
  RPM [4]. For the current release OpenPKG 1.1, perform the following
  operations to permanently fix the security problem (for other releases
  adjust accordingly).
d89 7
@


1.2
log
@may cause; src and bin tutorial; rebuild and install; renumber
@
text
@d38 2
a39 1
  it (see Solution) and it's dependent packages (see above), too. [3][4]
d60 2
a61 2
  Additionally, we recommend that you rebuild and
  reinstall all dependent OpenPKG packages, too. [3][4]
@


1.1
log
@first cut for PNG SA
@
text
@d28 2
a29 2
  Randers-Pehrson [7], a buffer overflow vulnerability exists in the
  Portable Network Graphics (PNG) library libpng [0] in connection with
d31 1
a31 1
  incorrectly which causes a buffer overrun beyond the beginning of the
d33 1
a33 1
  assigned the id CAN-2002-1363 [8] to the problem.
d38 1
a38 2
  it (see Solution). Additionally, we recommend that you rebuild and
  reinstall all dependent OpenPKG packages, too. [2]
d42 4
a45 4
  [5][6], fetch it from the OpenPKG FTP service [3][4] or a mirror
  location, verify its integrity [1], build a corresponding binary RPM
  from it and update your OpenPKG installation by applying the binary
  RPM [2]. For the current release OpenPKG 1.1, perform the following
d59 2
a60 1
  Then rebuild all dependent OpenPKG packages.
d64 5
a68 5
  [0] http://www.libpng.org/
  [1] http://www.openpkg.org/security.html#signature
  [2] http://www.openpkg.org/tutorial.html#regular-source
  [3] ftp://ftp.openpkg.org/release/1.0/UPD/
  [4] ftp://ftp.openpkg.org/release/1.1/UPD/
d71 3
a73 2
  [7] http://www.debian.org/security/2002/dsa-213
  [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
@