It was found that libpng read uninitialized memory when it encountered a sCAL chunk that is empty, and improperly handles a sCAL chunk that lacks the terminating zero between the two strings that it conveys. This was fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55. Patch: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
This has been assigned CVE-2011-2692
This is also CERT VU#819894: http://www.kb.cert.org/vuls/id/819894
Created libpng tracking bugs for this issue Affects: fedora-all [bug 721307]
Created libpng10 tracking bugs for this issue Affects: fedora-all [bug 721309] Affects: epel-6 [bug 721310]
Created mingw32-libpng tracking bugs for this issue Affects: epel-5 [bug 721312] Affects: fedora-all [bug 721311]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1104 https://rhn.redhat.com/errata/RHSA-2011-1104.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:1103 https://rhn.redhat.com/errata/RHSA-2011-1103.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html