Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0333 to the following vulnerability: Name: CVE-2014-0333 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0333 Assigned: 20131205 Reference: CONFIRM:ftp://ftp.simplesystems.org/pub/png/src/libpng16/patch-libpng16-vu684412.diff Reference: https://sourceforge.net/projects/libpng/files/libpng16/patch-libpng16-vu684412.diff Reference: CERT-VN:VU#684412 Reference: http://www.kb.cert.org/vuls/id/684412 The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero. The upstream commit is here: http://sourceforge.net/p/libpng/code/ci/713a20c57d344b558e48ad8be157c2dd751c8815/ Note that this only affects libpng 1.6.0 through 1.6.9.
Statement: Not vulnerable. This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 5 or 6.
Created libpng tracking bugs for this issue: Affects: fedora-20 [bug 1070987]
Created mingw-libpng tracking bugs for this issue: Affects: fedora-20 [bug 1070988]
mingw-libpng-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.