The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.
libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=commit%3Bh=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
lists.apple.com/archives/security-announce/2012/May/msg00001.html
lists.fedoraproject.org/pipermail/package-announce/2011-July/063118.html
secunia.com/advisories/45046
secunia.com/advisories/45405
secunia.com/advisories/45415
secunia.com/advisories/45445
secunia.com/advisories/45460
secunia.com/advisories/45461
secunia.com/advisories/45492
secunia.com/advisories/49660
security.gentoo.org/glsa/glsa-201206-15.xml
sourceforge.net/mailarchive/forum.php?thread_name=003101cc2790%24fb5d6e80%24f2184b80%24%40acm.org&forum_name=png-mng-implement
support.apple.com/kb/HT5002
support.apple.com/kb/HT5281
www.debian.org/security/2011/dsa-2287
www.kb.cert.org/vuls/id/819894
www.libpng.org/pub/png/libpng.html
www.mandriva.com/security/advisories?name=MDVSA-2011:151
www.openwall.com/lists/oss-security/2011/07/13/2
www.redhat.com/support/errata/RHSA-2011-1103.html
www.redhat.com/support/errata/RHSA-2011-1104.html
www.redhat.com/support/errata/RHSA-2011-1105.html
www.securityfocus.com/bid/48618
www.ubuntu.com/usn/USN-1175-1
bugzilla.redhat.com/show_bug.cgi?id=720612
exchange.xforce.ibmcloud.com/vulnerabilities/68536