First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 219033
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Christian Hoffmann <hoffie@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 219033 depends on: Show dependency tree
Bug 219033 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-04-23 14:24 0000 
media-gfx/pngcrush bundles a slightly modified libpng (version libpng-1.2.9rc1
in case of pngcrush-1.6.4) and is as such vulnerable to CVE-2008-1382, as noted
explicitly in the libpng advisory (user _mika submitted the link yesterday in
#gentoo-security, so I took a look).

We already have the latest pngcrush version in the tree (1.6.4 from June 2006),
so one either has to upgrade the bundled libpng or switch to using the external
one (which is, according to the upstream homepage, possible, but possibly has
some drawbacks; I have not tried to test it myself).

For properly rating this vulnerability, we'd probably have to check if other
libpng vulnerabilities were discovered after libpng-1.2.9rc1 and affected
pngcrush as such.

drac already said he'd have a look today.


(The advisory also mentions imagemagick, but in our case it uses the system
libpng (dynamically loaded, not linked), so it should be fine).

The original libpng issue was handled in bug 217047.

------- Comment #1 From Christian Hoffmann 2008-04-23 14:32:04 0000 ------- 
Yet another attempt at setting whiteboard (security, let me know if it annoys
you more than it helps :p).
B as pngcrush is certainly not that common, 2 since it allows for (controlled?)
memory overwrite. Setting [ebuild] as it is very unlikely that upstream
releases something after two years of inactivity and as the easiest way to
solve it is probably using the system libpng (and maybe zlib as well, while we
are at it?).

------- Comment #2 From Samuli Suominen 2008-04-23 15:49:13 0000 ------- 
*pngcrush-1.6.4-r1 (23 Apr 2008)

  23 Apr 2008; Samuli Suominen <drac@gentoo.org>
  +files/pngcrush-1.6.4-modified-debian-patchset-5.patch,
  +pngcrush-1.6.4-r1.ebuild:
  Stop including vulnerable libpng, and use system libpng instead. Debian
  mirrors a tarball with included libpng files deleted, so we are using that
  one applying Debian patchset -5 on top of it. After that we fix the
  remaining issues from Makefile. Thanks to _mika and hoffie from 
  #gentoo-security at Freenode.

------- Comment #3 From Samuli Suominen 2008-04-23 15:56:33 0000 ------- 
(In reply to comment #2)
> *pngcrush-1.6.4-r1 (23 Apr 2008)
> 
>   23 Apr 2008; Samuli Suominen <drac@gentoo.org>
>   +files/pngcrush-1.6.4-modified-debian-patchset-5.patch,
>   +pngcrush-1.6.4-r1.ebuild:
>   Stop including vulnerable libpng, and use system libpng instead. Debian
>   mirrors a tarball with included libpng files deleted, so we are using that
>   one applying Debian patchset -5 on top of it. After that we fix the
>   remaining issues from Makefile. Thanks to _mika and hoffie from 
>   #gentoo-security at Freenode.

bleah that looked fugly plus we have this bug, 

*pngcrush-1.6.4-r1 (23 Apr 2008)

  23 Apr 2008; Samuli Suominen <drac@gentoo.org>
  +files/pngcrush-1.6.4-modified-debian-patchset-5.patch,
  +pngcrush-1.6.4-r1.ebuild:
  Use system libpng wrt security #219033, thanks to _mika and hoffie.
  Using modified Debian patchset -5.

>

------- Comment #4 From Robert Buchholz 2008-04-23 16:04:28 0000 ------- 
Arches, please test and mark stable:
=media-gfx/pngcrush-1.6.4-r1
Target keywords : "amd64 ppc release x86"

------- Comment #5 From Samuli Suominen 2008-04-23 18:57:48 0000 ------- 
amd64 stable, thanks to gentoofan23 for testing

------- Comment #6 From Markus Meier 2008-04-23 21:13:39 0000 ------- 
x86 stable

------- Comment #7 From Tobias Scherbaum 2008-04-24 19:07:40 0000 ------- 
ppc stable

------- Comment #8 From Peter Volkov 2008-04-26 09:34:52 0000 ------- 
Fixed in release snapshot.

------- Comment #9 From Pierre-Yves Rofes 2008-05-05 21:29:25 0000 ------- 
glsa request filed

------- Comment #10 From Pierre-Yves Rofes 2008-05-11 21:48:04 0000 ------- 
GLSA 200805-10
First Last Prev Next    No search results available      Search page      Enter new bug