CERT Warns Of Multiple Vulnerabilities In Libpng

jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."

Re:Gentoo

Could it be that Mandrake and Fedora have their patched code out faster than the elite gentoo team that is supposed to be poised on the bleeding edge of our scene? My "newbie" distro has been patched and secure for many hours and you gentoo zealots are still scratching your asses...

Heck you don't even need to wait for them to make a binary! It should've been done by now surely...

Re:Old news

...thanks to the Debian Security mailing list, my systems were secured against this hours before it even made it to /.

Hours? Hours makes it old news? Jesus.

There's a submission review procedure before stuff gets posted on slashdot. That takes time.

How old is it REALLY?

[goldspider]

How long has this vulnerability been in libpng? It's easy to claim that Linux has zero-hour responses to bugs when you announce vulnerabilities after they're patched, but what I'd like to know is how long this has been a problem.

Fucking Microsoft security holes!

[NineNine]

I am SO sick of these Microsoft security holes. Plus, a fix in "a few weeks"? What are they thinking? Jesus, if this were open source, we'd have a fix *today*, and we probably wouldn't have had this happen in the first place!! What am I supposed to do about my machine during the next "few weeks"? Make sure that avoid all sites with PNG files, even though I don't know if they have any until I surf to them? Piece of shit company...

Oh wait...

Ooops. Just re-read the article. Yaaay Open Source! I'm so glad that they've been open about this bug, and are fixing it so quickly! Good job guys!