Bug 123286

Summary:	media-gfx/pngcrush: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	graphics+disabled, taviso
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2006-02-18 08:02:30 UTC

These applications include a slightly modified zlib and also libpng, both outdated and vulnerable (see relevant GLSAs). optipng-0.5 and pngcrush-1.6.2 need to go stable.

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2006-02-18 08:24:28 UTC

optipng is safe, had already been fixed (somebody bumped it without my permission, but it still is safe).

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-02-21 10:45:16 UTC

Hm. pngcrush is no-herd. Carsten, Tavis, graphics herd, any takers ?

Comment 3 Marcelo Goes (RETIRED) gentoo-dev

2006-02-21 10:55:10 UTC

Bumped to 1.6.2 in cvs.

Comment 4 Carsten Lohrke (RETIRED) gentoo-dev

2006-02-21 11:02:39 UTC

(In reply to comment #2)
> Hm. pngcrush is no-herd. Carsten, Tavis, graphics herd, any takers ?

Committed before I filed the bug.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2006-02-22 10:00:45 UTC

Arches please test and mark pngcrush-1.6.2 stable

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2006-02-22 11:48:14 UTC

ppc stable

Comment 7 Joshua Jackson (RETIRED) gentoo-dev

2006-02-22 22:31:49 UTC

x86 stable

Comment 8 Stefan Cornelius (RETIRED) gentoo-dev

2006-02-24 07:13:08 UTC

From upstream homepage: Pngcrush, when statically linked to the supplied zlib code, is believed to be immune to the zlib-1.1.3 "double-free" bug, since by default it detects and rejects any "double-free" attempt. It merely generates a "Decompression Error" message and rejects the file.

So, do we believe that, too (-> only libpng issues left)?

Comment 9 Tavis Ormandy (RETIRED) gentoo-dev

2006-02-24 07:28:14 UTC

Yes, but there's also been the zlib heap overflow since then, and pngcrush is definitely vulnerale to that:

$ pngcrush -q zlib-testcase.png foo.png
While converting zlib-testcase.png to foo.png:
  pngcrush caught libpng error:
   incomplete literal/length tree

Segmentation fault (core dumped)

I have a testcase png image here
http://dev.gentoo.org/~taviso/files/zlib/zlib-testcase.png

Comment 10 Simon Stelling (RETIRED) gentoo-dev

2006-02-27 10:43:58 UTC

i can confirm the segfault in comment #9, think this should go back to ebuild status. or is it a different issue and should i mark it stable on amd64 nevertheless?

Comment 11 Marcelo Goes (RETIRED) gentoo-dev

2006-02-27 18:10:01 UTC

I can confirm the segfault, too. I had a look at the zlib code included with pngcrush-1.6.2 and indeed it is version 1.2.3. So, I don't know what to do/where to look.

Comment 12 Stefan Cornelius (RETIRED) gentoo-dev

2006-02-28 08:17:32 UTC

blubb, vanquirius: does the segfault happen with the latest patches and security fixes applied (afaik, that should be version 1.6.2)?

Comment 13 Marcelo Goes (RETIRED) gentoo-dev

2006-02-28 14:55:02 UTC

Yup. Which is not a good thing.

Comment 14 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-01 08:03:47 UTC

Ok, taviso had a look at it and stated that this is nothing with a security impact. Do you (arches) think this is minor enough to ignore, so you can stable nevertheless? If not, I'll put it back to ebuild status.

Comment 15 Simon Stelling (RETIRED) gentoo-dev

2006-03-01 13:48:39 UTC

yeah, i think so. would be nice to get it fixed nevertheless though

marked stable

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-03-21 05:34:55 UTC

Carsten thanks for reporting (again).

GLSA 200603-18