libpng overwrites unallocated memory when promoting a paletted image with transparency (one channel) to gray-alpha (two channels), only if the application calls png_rgb_to_gray() but fails to call png_set_expand(). This bug exists in all released versions of libpng (1.0, 1.2, 1.4 and 1.5). The data overwritten is entirely controlled by the image data in the PNG file and it is possible to cause any string of data to be written by fabricating an appropriate PNG file. The amount of overwrite is equal to the row length of the original image. This has been fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.
This has been assigned CVE-2011-2690
Created libpng tracking bugs for this issue Affects: fedora-all [bug 721307]
Created libpng10 tracking bugs for this issue Affects: fedora-all [bug 721309] Affects: epel-6 [bug 721310]
Created mingw32-libpng tracking bugs for this issue Affects: fedora-all [bug 721311] Affects: epel-5 [bug 721312]
Further investigation shows that this bug is not aboriginal in libpng, but was introduced in 1.2.9 (and whichever was the contemporary version of 1.0.x). This means it doesn't exist in RHEL4, where we're still shipping 1.2.7. Haven't looked yet at the libpng10 situation.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1104 https://rhn.redhat.com/errata/RHSA-2011-1104.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html