[Bug 376673] [NEW] Sync libpng 1.2.35-1 (main) from Debian unstable (main).

Jamie Strandboge jamie at ubuntu.com
Thu May 14 21:39:45 BST 2009 

Public bug reported:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 affects ubuntu/libpng
 status confirmed
 importance wishlist
 subscribe ubuntu-archive

Please sync libpng 1.2.35-1 (main) from Debian unstable (main).

Explanation of the Ubuntu delta and why it can be dropped:
Ubuntu changes can be dropped as the CVE fixes are in Debian and the ECHO
fix was incorporated in 1.2.29

Changelog since current karmic version 1.2.27-2ubuntu2:

libpng (1.2.35-1) unstable; urgency=high

  * New upstream release
    - http://secunia.com/advisories/33970/
      Fix a vulnerability reported by Tavis Ormandy in which
      some arrays of pointers are not initialized prior to using
      "malloc" to define the pointers.
      Closes: #516256
    - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907
      The png_check_keyword function in pngwutil.c in libpng, might
      allow context-dependent attackers to set the value of an
      arbitrary memory location to zero via vectors involving
      creation of crafted PNG files with keywords, related to an
      implicit cast of the '\0' character constant to a NULL pointer.
  * Don't build libpng3 when binary-indep target is not called.
    Closes: #486415

 -- Anibal Monsalve Salazar <anibal at debian.org>  Sat, 21 Feb 2009
15:50:52 +1100

libpng (1.2.33-2) unstable; urgency=low

  * Fix the following lintian issues:
    W: libpng12-0: copyright-refers-to-versionless-license-file
       usr/share/common-licenses/GPL

 -- Anibal Monsalve Salazar <anibal at debian.org>  Mon, 16 Feb 2009
11:32:17 +1100

libpng (1.2.33-1) experimental; urgency=low

  * New upstream release 
    - Fix memory leak after reading a malformed tEXt chunk

 -- Anibal Monsalve Salazar <anibal at debian.org>  Sat, 01 Nov 2008
17:21:56 +1100

libpng (1.2.32-1) experimental; urgency=low

  * New upstream release
    - libpng.pc is configured to do static linking; closes: #483477
    - use autoconf variables in .pc and libpng-config; closes: #483478
  * Remove debian/patches/02-501109-pngtest.c.diff; it was merged

 -- Anibal Monsalve Salazar <anibal at debian.org>  Sun, 05 Oct 2008
08:20:20 +1100


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkoMgYgACgkQW0JvuRdL8BqLkwCfUJbO4/fjX8knguvrFsBY2Fmv
/dEAn3KkInddVZ80poPN0LGIqE+RvFpL
=A0jZ
-----END PGP SIGNATURE-----

** Affects: libpng (Ubuntu)
     Importance: Wishlist
         Status: Confirmed

-- 
Sync libpng 1.2.35-1 (main) from Debian unstable (main).
https://bugs.launchpad.net/bugs/376673
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is a direct subscriber.

More information about the ubuntu-archive mailing list