Fix at $URL. From the Secunia advisory at http://secunia.com/advisories/45046/: A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. The vulnerability is caused due to an off-by-one error in the "png_format_buffer()" function in pngerror.c when parsing a PNG image file and can be exploited to cause a crash.
Was this even reported to libxml2 upstream? I couldn't find any bug report in bugzilla.gnome.org or any commit fixing this in their git :-/
(In reply to comment #1) > Was this even reported to libxml2 upstream? I couldn't find any bug report in > bugzilla.gnome.org or any commit fixing this in their git :-/ My mistake, this is libpng not libxml2. Sorry about that. ;)
In redhat bugzilla - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2501 assigned CVE-2011-2501 fixed in upstream: libpng 1.2.45 libpng 1.4.8 libpng 1.5.4 please bump
(In reply to comment #3) > In redhat bugzilla - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2501 > > assigned CVE-2011-2501 > > fixed in upstream: > > libpng 1.2.45 > libpng 1.4.8 These are now in Portage. Make sure to test apng format because libpng-1.4.8 is using libpng-1.4.7's apng patch. > libpng 1.5.4 Not in Portage yet, but because it's KEYWORDS="", it doesn't block handling this security bug in any way. Will add it soon as matching apng patch is out. Thanks, Samuli
Test (like, really test that apng patch with 1.4.8) and stabilize: =media-libs/libpng-1.4.8 "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =media-libs/libpng-1.2.45 "amd64 hppa ppc ppc64 x86" No idea why hppa/ppc/ppc64 has stable keywords in SLOT="1.2" but oh well ...
on amd64 both version works as expected.
libpng-1.4.8 is now ppc/ppc64 stable, keywords dropped from :1.2
How do I test specifically against libpng-1.2 on x86? All the software on my system already uses libpng-1.4 (all packages have requirement for libpng-1.2 or higher).
(In reply to comment #8) > How do I test specifically against libpng-1.2 on x86? Pick a binary-only application like nxclient, dialogblocks or eagle... egrep -e "libpng.*1.2" $(portageq portdir)/*/*/*.ebuild | grep -v ">" ...for more ideas.
(In reply to comment #9) > (In reply to comment #8) > > How do I test specifically against libpng-1.2 on x86? > > Pick a binary-only application like nxclient, dialogblocks or eagle... > > egrep -e "libpng.*1.2" $(portageq portdir)/*/*/*.ebuild | grep -v ">" > > ...for more ideas. Thank you for that. Both versions ok for x86.
(In reply to comment #5) > =media-libs/libpng-1.2.45 "amd64 hppa ppc ppc64 x86" > > No idea why hppa/ppc/ppc64 has stable keywords in SLOT="1.2" but oh well ... 04 Jul 2010; Samuli Suominen <ssuominen@gentoo.org> libpng-1.2.44.ebuild, libpng-1.4.3.ebuild: ppc64 stable wrt #324153 You probably had good reasons at the time.
amd64 all ok
+ 11 Jul 2011; Tony Vroon <chainsaw@gentoo.org> libpng-1.2.45.ebuild, + libpng-1.4.8.ebuild: + Marked stable on AMD64 based on arch testing by Ian Delaney, for security bug + #373697 by Tim Sammut.
x86 stable. Many thanks Myckel.
Stable for HPPA.
arm stable
alpha/ia64/m68k/s390/sh/sparc stable
Thanks, everyone. GLSA request filed.
From http://libpng.org/pub/png/libpng.html, it looks like these issues are fixed in 1.2.45 and 1.4.8 too. All released versions of libpng (from 1.0 onward) have a buffer overrun in the code that promotes palette images with transparency (1 channel) to grayscale+alpha images (2 channels), but only for applications that call png_rgb_to_gray() and not png_set_expand(). (None are known.) An arbitrary amount of memory may be overwritten in this case, with arbitrary (attacker-controlled) data. This vulnerability has been assigned ID CVE-2011-2690. libpng 1.2.20 and later crashes in png_default_error() due to internal use of a NULL pointer instead of the empty string (""). This vulnerability has been assigned ID CVE-2011-2691. Many (most?) versions of libpng read uninitialized memory when handling empty sCAL chunks, and they handle malformed sCAL chunks (those lacking a delimiting NULL between the internal strings) incorrectly. This vulnerability has been assigned ID CVE-2011-2692.
CVE-2011-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2692): The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory. CVE-2011-2691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2691): The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image. CVE-2011-2690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2690): Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image. CVE-2011-2501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2501): The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression.
This issue was resolved and addressed in GLSA 201206-15 at http://security.gentoo.org/glsa/glsa-201206-15.xml by GLSA coordinator Sean Amoss (ackle).
