On Jul 16, 2004  16:48 -0400, CERT Coordination Center wrote:
-----BEGIN PGP SIGNED MESSAGE-----

Hello,

(We are contacting you as our registered point of contact for security
issues in the libpng software package.  If you are not the appropriate
person, please let us know and forward this information to the
appropriate person.)

We have received a report from Chris Evans (chris@scary.beasts.org)
regarding multiple vulnerabilities in the libpng package.  A copy of
Chris's advisory can be found at the following location:

	<http://scary.beasts.org/security/CESA-2004-001.txt>

Chris indicated that he has already provided this information to you,
but he reported it directly to us as well and we wanted to be certain
you saw it.

We have identified the issues in this report as follows:

VU#388984 - libpng fails to properly check length on PNG data [CAN-2004-0597]

VU#817368 - libpng "png_handle_sBIT" does not perform proper checks to avoid stack buffer overflow

VU#236656 - libpng "png_handle_iCCP" possible NULL-pointer crash

VU#477512 - libpng "png_handle_sPLT" possible integer overflow

VU#160448 - libpng "png_read_png" does not properly handle a PNG with excessive height

VU#286464 - libpng progressive reading integer overflow
		
The titles for these issues are subject to change prior to
publication, but these provide a starting point to work from.

The reporter has indicated that he will publish his advisory on August
4, 2004.  We intend to be prepared to publish information about these
issues at that time.  Please respond with any comments or vendor
statements you might have before that date.  We have begun the process
of contacting other vendors that use libpng separately.

In order to discuss this and future issues in more detail and
confidentiality, we'd like to establish a secure communications
channel with you.  Our normal procedure is to exchange and verify a
PGP key that we can use just for communications with you.  If you have
the ability, please send us a key and we will begin the process of
verifying it.

If you have any additional questions or concerns, please do not
hesitate to contact us.

Best Regards,

Chad

- -- 
Chad Dougherty
Internet Security Analyst
__________________________________________________________
CERT(R) Coordination Center    |             cert@cert.org
Software Engineering Institute | Hotline : +1 412.268.7090
Carnegie Mellon University     |     FAX : +1 412.268.6989
Pittsburgh, PA 15213-3890      |      http://www.cert.org/
==========================================================
     CERT and CERT Coordination Center are registered 
         in the U.S. Patent and Trademark Office.
 
    The Software Engineering Institute is sponsored by 
              the U.S. Department of Defense.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQCVAwUBQPg++JZ2NNT/dVAVAQGeAAP+JGna1G2yNyepdfyGZ5HgWTt2QOpCTQ4K
4nBtkPDalc6spdgljoMkvLONhcm9aZSRaYzrgm+jb5ZoDgaJtj4GdkStredcpEx0
ptNsRjwvROYMXaJcK9AvzRkqRTtyEeZKx9Gf/WkOWOVcnW18XB6LpZbQA8OgPRiD
nTBdudwpTh8=
=Vf1C
-----END PGP SIGNATURE-----