Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0047 Libpng 1.5.10 Released 2 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libpng Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-3048 Member content until: Wednesday, May 2 2012 OVERVIEW A new version of libpng has been released. IMPACT The vendor has provided the following information: "All "modern" versions of libpng through 1.5.9, 1.4.10, 1.2.48, and 1.0.58, respectively, fail to correctly handle malloc() failure for text chunks (in png_set_text_2()), which can lead to memory corruption and the possibility of execution of hostile code. This serious vulnerability has been assigned ID CVE-2011-3048 and is fixed in version 1.5.10 (and versions 1.4.11, 1.2.49, and 1.0.59, respectively, on the older branches), released 29 March 2012." [1] MITIGATION The vendor recommends updating to the latest version. [2] REFERENCES [1] libpng http://www.libpng.org/pub/png/libpng.html [2] Libpng 1.5.10 - March 29, 2012 http://www.libpng.org/pub/png/src/libpng-1.5.10-README.txt AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT3kAuu4yVqjM2NGpAQLBOxAAqZjTkossyAaEgb0ySvHfPpESo3HWc8pO CxcQezIjyEZeB3pYxJw9fp4dkQKcRej0fw/UJtxgiCMCZFN22WtIJK1JVJ+jM1+Y xrpMnm7V5njlVgR4kfjRljxfaSiNMEoSlkkBXhtYuQQf+eCBTjhoWy2w0JO/z/4K 8uZnSLbjmFNdBvBuezjiTRxjWbOGxqkO/MD/B/rxIcAxyAZaXK5tJyBvy6NO7DfE i16wRg4hjEV27usJKcUM3DxQXDktvIv/PYLek3TE8PQ4QGvDaLoY5RUQIndIg60X rCYccsVE7DJCq53yo30jO7BJkEG9lh5Gz4T8xHfYri4hiGqHljc75BhwaxJwOJgC DuEiua3ZuR0/IAzKE4IvCUZGBe60foik2ePqC5RHII3RXkDR0oIoFtrUVcu83cN4 mCmN51UYTlr2OA5szVVXCLB31TRV0JNHA0OgxZsDYWfQzAeciot/indfq8uSxPq1 t8AKbMAl2UXrqNYxbK8PSj/UDRkRb/Ev4xl7pE+jcrjCRrbO5Gj2vZwMCV9mhRzP bslu2BV1dRTjD7Eic307IP9HMEbdoZVJEePx19uKiroLvwt4hE3+vReap74zEoZ8 QMWAYXzH2Ab/xZyoUxdRss/zfBCppi8/xJk5vqYlMJUDfGTYt8wg7/UiN4m64TbG JBOOmfXH6u4= =wpsJ -----END PGP SIGNATURE-----