From: http://secunia.com/secunia_research/2010-87/ 1) An integer overflow error within the "pngLoadRawF()" function in glpng.c can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PNG file in an application using the library. 2) An integer overflow error within the "pngLoadF()" function in glpng.c can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PNG file in an application using the library. The vulnerabilities are confirmed in version 1.45. Other versions may also be affected.
CVE-2010-1519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1519): Multiple integer overflows in glpng.c in glpng 1.45 allow context-dependent attackers to execute arbitrary code via a crafted PNG image, related to (1) the pngLoadRawF function and (2) the pngLoadF function, leading to heap-based buffer overflows.
No fix available upstream, secunia says "use another library". p.mask it? The only reverse dep is chromium-bsu.
Aquaria also uses this and packages to build this from source are in the works. We have the HOMEPAGE listed as http://www.fifi.org/doc/libglpng-dev/glpng.html but I don't think this was ever really its home. Tons of other software is listed there. Upstream is now http://repo.or.cz/w/glpng.git and I have already prepared additional patches to send to the freedesktop.org games list. Fedora patched the issue here. https://lists.fedoraproject.org/pipermail/scm-commits/2010-September/490376.html I will add this patch to my list.
Created attachment 378534 [details] glpng-1.46.ebuild I was given commit access to the above repository and have released 1.46 with all the fixes. Here is a revised ebuild that is simpler, doesn't need a patch, and supports multilib.
@games, please bump to the fixed version. Thank you
I am in the process of becoming a Gentoo developer and would be happy to become a maintainer for this package if it helps.
(In reply to James Le Cuirot from comment #6) > I am in the process of becoming a Gentoo developer and would be happy to > become a maintainer for this package if it helps. James, for now you can become a proxy maintainer if you would like. To do that contact the proxy maintainer team. You can do that before becoming a full developer.
I doubt anything is going to happen to glpng between now and then so I might as well wait. I've just about done the end quiz so hopefully not too much longer now.
I am now a dev and have bumped the tree version to 1.46. The old version remains because of the stable keywords. Security team, please advise.
I don't like to ping bug reports but this is a CVE and I've done the work so...
Time up! I'll take this into my own hands. Arch teams, please stabilize on amd64, ppc, x86: media-libs/glpng-1.46-r1
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Thanks! Old removed. Security, please continue.
Vote: no.
GLSA Vote: No Thank you all. Closing as noglsa.
