Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 123286
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 123286 depends on: Show dependency tree
Bug 123286 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-18 08:02 0000 
These applications include a slightly modified zlib and also libpng, both
outdated and vulnerable (see relevant GLSAs). optipng-0.5 and pngcrush-1.6.2
need to go stable.

------- Comment #1 From Tavis Ormandy (RETIRED) 2006-02-18 08:24:28 0000 ------- 
optipng is safe, had already been fixed (somebody bumped it without my
permission, but it still is safe).

------- Comment #2 From Thierry Carrez (RETIRED) 2006-02-21 10:45:16 0000 ------- 
Hm. pngcrush is no-herd. Carsten, Tavis, graphics herd, any takers ?

------- Comment #3 From Marcelo Goes 2006-02-21 10:55:10 0000 ------- 
Bumped to 1.6.2 in cvs.

------- Comment #4 From Carsten Lohrke 2006-02-21 11:02:39 0000 ------- 
(In reply to comment #2)
> Hm. pngcrush is no-herd. Carsten, Tavis, graphics herd, any takers ?

Committed before I filed the bug.

------- Comment #5 From Thierry Carrez (RETIRED) 2006-02-22 10:00:45 0000 ------- 
Arches please test and mark pngcrush-1.6.2 stable

------- Comment #6 From Tobias Scherbaum 2006-02-22 11:48:14 0000 ------- 
ppc stable

------- Comment #7 From Joshua Jackson 2006-02-22 22:31:49 0000 ------- 
x86 stable

------- Comment #8 From Stefan Cornelius (RETIRED) 2006-02-24 07:13:08 0000 ------- 
From upstream homepage: Pngcrush, when statically linked to the supplied zlib
code, is believed to be immune to the zlib-1.1.3 "double-free" bug, since by
default it detects and rejects any "double-free" attempt. It merely generates a
"Decompression Error" message and rejects the file.

So, do we believe that, too (-> only libpng issues left)?

------- Comment #9 From Tavis Ormandy (RETIRED) 2006-02-24 07:28:14 0000 ------- 
Yes, but there's also been the zlib heap overflow since then, and pngcrush is
definitely vulnerale to that:

$ pngcrush -q zlib-testcase.png foo.png
While converting zlib-testcase.png to foo.png:
  pngcrush caught libpng error:
   incomplete literal/length tree

Segmentation fault (core dumped)

I have a testcase png image here
http://dev.gentoo.org/~taviso/files/zlib/zlib-testcase.png

------- Comment #10 From Simon Stelling (RETIRED) 2006-02-27 10:43:58 0000 ------- 
i can confirm the segfault in comment #9, think this should go back to ebuild
status. or is it a different issue and should i mark it stable on amd64
nevertheless?

------- Comment #11 From Marcelo Goes 2006-02-27 18:10:01 0000 ------- 
I can confirm the segfault, too. I had a look at the zlib code included with
pngcrush-1.6.2 and indeed it is version 1.2.3. So, I don't know what to
do/where to look.

------- Comment #12 From Stefan Cornelius (RETIRED) 2006-02-28 08:17:32 0000 ------- 
blubb, vanquirius: does the segfault happen with the latest patches and
security fixes applied (afaik, that should be version 1.6.2)?

------- Comment #13 From Marcelo Goes 2006-02-28 14:55:02 0000 ------- 
Yup. Which is not a good thing.

------- Comment #14 From Stefan Cornelius (RETIRED) 2006-03-01 08:03:47 0000 ------- 
Ok, taviso had a look at it and stated that this is nothing with a security
impact. Do you (arches) think this is minor enough to ignore, so you can stable
nevertheless? If not, I'll put it back to ebuild status.

------- Comment #15 From Simon Stelling (RETIRED) 2006-03-01 13:48:39 0000 ------- 
yeah, i think so. would be nice to get it fixed nevertheless though

marked stable

------- Comment #16 From Sune Kloppenborg Jeppesen 2006-03-21 05:34:55 0000 ------- 
Carsten thanks for reporting (again).

GLSA 200603-18
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug