Add patch to fix CVE-2007-2445

libpng-trns-bug.patch

@@ -0,0 +1,19 @@
+Fix for CVE-2007-2445 --- libpng crashes if CRC error is detected in
+a grayscale tRNS chunk, because png_handle_tRNS leaves inconsistent state
+which eventually leads to attempting to free() unallocated memory.
+
+
+diff -Naur libpng-1.2.16.orig/pngrutil.c libpng-1.2.16/pngrutil.c
+--- libpng-1.2.16.orig/pngrutil.c	2007-01-31 08:22:35.000000000 -0500
++++ libpng-1.2.16/pngrutil.c	2007-05-12 17:07:41.000000000 -0400
+@@ -1314,7 +1314,10 @@
+    }
+ 
+    if (png_crc_finish(png_ptr, 0))
++   {
++      png_ptr->num_trans = 0;
+       return;
++   }
+ 
+    png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
+       &(png_ptr->trans_values));

libpng.spec

@@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
 Name: libpng
 Epoch: 2
 Version: 1.2.16
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: BSD
 Group: System Environment/Libraries
 URL: http://www.libpng.org/pub/png/
@@ -10,6 +10,7 @@ URL: http://www.libpng.org/pub/png/
 Source: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
 Patch0: libpng-multilib.patch
 Patch1: libpng-pngconf.patch
+Patch2: libpng-trns-bug.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel
@@ -53,6 +54,7 @@ necessary for some boot packages.
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure
@@ -91,6 +93,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/libpng12.la
 rm -rf $RPM_BUILD_ROOT
 
 %changelog
+* Wed May 23 2007 Tom Lane <tgl@redhat.com> 2:1.2.16-2
+- Add patch to fix CVE-2007-2445
+Related: #239542
+
 * Mon Feb 12 2007 Tom Lane <tgl@redhat.com> 2:1.2.16-1
 - Update to libpng 1.2.16
 Resolves: #211705, #216706, #227334