It was reported [1] that the fix for CVE-2004-0421 in libpng was inadvertently reverted during the 1.2.23 development cycle. The original flaw could be used to cause a denial of service via a carefully-crafted PNG image. This would affect all versions of libpng >=1.2.23, including 1.4.x and 1.5.x. [1] http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement
Upstream fix is here: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
This has been assigned CVE-2011-2501: http://www.openwall.com/lists/oss-security/2011/06/28/16
Created libpng tracking bugs for this issue Affects: fedora-all [bug 717509]
Created libpng10 tracking bugs for this issue Affects: fedora-all [bug 717512] Affects: epel-6 [bug 717513]
Created mingw32-libpng tracking bugs for this issue Affects: fedora-all [bug 717510] Affects: epel-5 [bug 717511]
Just for the record, I'm planning to handle this and the other current libpng bugs, in RHEL6, by rebasing from libpng 1.2.44 to 1.2.46. I've diffed the tarballs and there is essentially no difference except version numbers and the security fixes we want. Indeed, the entire reason why upstream is still maintaining 1.2.x is to provide security fixes, so it would be a bit discourteous to them to not use their tarballs ... RHEL5 and back probably can't be handled that way, unfortunately.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html