Multiple vulnerabilities has been discovered and corrected in libpng:

The png_format_buffer function in pngerror.c in libpng allows
remote attackers to cause a denial of service (application crash)
via a crafted PNG image that triggers an out-of-bounds read during
the copying of error-message data. NOTE: this vulnerability exists
because of a CVE-2004-0421 regression (CVE-2011-2501).

Buffer overflow in libpng, when used by an application that calls the
png_rgb_to_gray function but not the png_set_expand function, allows
remote attackers to overwrite memory with an arbitrary amount of data,
and possibly have unspecified other impact, via a crafted PNG image
(CVE-2011-2690).

The png_err function in pngerror.c in libpng makes a function call
using a NULL pointer argument instead of an empty-string argument,
which allows remote attackers to cause a denial of service (application
crash) via a crafted PNG image (CVE-2011-2691). NOTE: This does not
affect the binary packages in Mandriva, but could affect users if
PNG_NO_ERROR_TEXT is defined using the libpng-source-1.?.?? package.

The png_handle_sCAL function in pngrutil.c in libpng does not properly
handle invalid sCAL chunks, which allows remote attackers to cause
a denial of service (memory corruption and application crash) or
possibly have unspecified other impact via a crafted PNG image that
triggers the reading of uninitialized memory (CVE-2011-2692).

The updated packages have been patched to correct these issues.