Updated:  July 01, 2010

Statement Date:   June 26, 2010

Status

Affected

Vendor Statement

This libpng bug was publicly disclosed yesterday via checkins to the Mozilla repositories and subsequently by release of libpng-1.4.3 and 1.2.44, in which the bug is fixed. See http://www.libpng.org/pub/png/libpng.html An additional memory-leak bug with reading a malformed PNG sCAL chunk was also disclosed and fixed. All versions of libpng prior to 1.2.44 and libpng-1.4.3 and all libpng-1.0.X versions are vulnerable. Libpng-1.0.X is no longer supported and will not receive security updates, as announced in February 2010 when libpng-1.0.53 was released.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.