Patch for CVE-2008-3964

libpng-ztxt-bug.patch

@@ -0,0 +1,17 @@
+Patch for CVE-2008-3964
+
+
+diff -ru4NwbB libpng-1.2.31/pngpread.c libpng-1.2.32beta01/pngpread.c
+--- libpng-1.2.31/pngpread.c	2008-08-21 05:54:13.254898477 -0500
++++ libpng-1.2.32beta01/pngpread.c	2008-09-06 07:03:43.043602194 -0500
+@@ -1278,9 +1278,9 @@
+ 
+                tmp = text;
+                text = (png_charp)png_malloc(png_ptr, text_size +
+                   (png_uint_32)(png_ptr->zbuf_size 
+-                  - png_ptr->zstream.avail_out));
++                  - png_ptr->zstream.avail_out + 1));
+                png_memcpy(text, tmp, text_size);
+                png_free(png_ptr, tmp);
+                png_memcpy(text + text_size, png_ptr->zbuf,
+                   png_ptr->zbuf_size - png_ptr->zstream.avail_out);

libpng.spec

@@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
 Name: libpng
 Epoch: 2
 Version: 1.2.31
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: zlib
 Group: System Environment/Libraries
 URL: http://www.libpng.org/pub/png/
@@ -10,6 +10,7 @@ URL: http://www.libpng.org/pub/png/
 Source: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
 Patch0: libpng-multilib.patch
 Patch1: libpng-pngconf.patch
+Patch2: libpng-ztxt-bug.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel
@@ -53,6 +54,7 @@ necessary for some boot packages.
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure
@@ -91,6 +93,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/libpng12.la
 rm -rf $RPM_BUILD_ROOT
 
 %changelog
+* Tue Sep  9 2008 Tom Lane <tgl@redhat.com> 2:1.2.31-2
+- Apply upstream patch for zTXT buffer overrun (CVE-2008-3964)
+Related: #461599
+
 * Sat Aug 23 2008 Tom Lane <tgl@redhat.com> 2:1.2.31-1
 - Update to libpng 1.2.31