[Xquartz-dev] libpng CVE-2010-1205

[Jeremy Huddleston]

Hi everyone,

I just wanted to give you all a heads up about CVE-2010-1205 (see http://www.libpng.org/pub/png/libpng.html).  The version of libpng in our current release has a vulnerability that was announced last week.  It doesn't look like we are directly affected*, but if anyone uses the libpng shipped by us for anything outside XQuartz (eg: linking against our libs for a custom built web browser, news/mail reader, etc), that application might expose this vulnerability.

The vulnerability itself requires someone to craft a special png file which would be incorrectly read by libpng.

I'm planning on getting out a 2.5.1_rc2 release this week to address this issue.  If you have any questions or concerns, feel free to ask here or the png-mng-implement mailing list.

Thanks,
Jeremy

*: libpng is part of the set of libraries provided to make us compatible with the bulk of freedesktop.org.  It is used by libcairo but not directly by XQuartz.app or any of our applications in /{usr,opt}/X11/bin.  This is why I think we're not directly affected, but it's a better use of my time to just push out a release with the fix than to prove we are not affected.  If anyone does see a vulnerable path, please contact me off list, so I can be better aware of that in the future.