The PNG library libpng has been affected by several vulnerabilities. The most
critical one is the identified as
CVE-2011-2690. Using this vulnerability, an attacker is able to overwrite
memory with an arbitrary amount of data controlled by her via a crafted PNG
image.
The other vulnerabilities are less critical and allow an attacker to
cause a crash in the program (denial of service) via a crafted PNG
image.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.2.27-2+lenny5. Due to a technical limitation in the Debian
archive processing scripts, the updated packages cannot be released
in parallel with the packages for Squeeze. They will appear shortly.
For the stable distribution (squeeze), this problem has been fixed in
version 1.2.44-1+squeeze1.
For the unstable distribution (sid), this problem has been fixed in
version 1.2.46-1.
We recommend that you upgrade your libpng packages.