507372 – GLSA 201206-15 matches media-libs/libpng-1.2.51

Bug 507372 - GLSA 201206-15 matches media-libs/libpng-1.2.51

Summary: GLSA 201206-15 matches media-libs/libpng-1.2.51

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2014-04-11 06:57 UTC by Ulrich Müller
Modified:	2014-06-02 17:09 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Update to glsa (glsa-201206-15.xml.patch,429 bytes, patch) 2014-06-02 12:42 UTC, David Flogeras	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ulrich Müller gentoo-dev

2014-04-11 06:57:08 UTC

$ glsa-check -p 201206-15
Checking GLSA 201206-15
>>> No upgrade path exists for these packages:
     media-libs/libpng-1.2.51

Presumably, the list of unaffected versions needs an update.

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2014-04-11 07:09:26 UTC

1.2.51 is not vulnerable, neither is 1.5.18. Both of which are going stable from bug 503014.

GLSA is broken.

Comment 2 Samuli Suominen (RETIRED) gentoo-dev

2014-04-11 07:11:51 UTC

don't know how specific the glsa needs to be, but...

emerge --oneshot --noreplace '>=media-libs/libpng-1.2.51:1.2'
emerge --oneshot --noreplace '>=media-libs/libpng-1.5.18:1.5'
emerge --oneshot --noreplace '>=media-libs/libpng-1.6.10:0'

Comment 3 Ulrich Müller gentoo-dev

2014-04-11 07:18:09 UTC

Currently the GLSA says:
Vulnerable:        <1.5.10
Unaffected:        >=1.5.10, >=~1.2.49, >=~1.2.50

So looks like it needs to be updated for 1.2* only.

Comment 4 Samuli Suominen (RETIRED) gentoo-dev

2014-04-11 09:21:32 UTC

Vulnerable ones: < 1.5.10:0, < 1.5.10:1.5, <1.2.49:1.2
Unvulnerable ones: >=1.5.10:0, >=1.5.10:1.5, >=1.2.49:1.2

Comment 5 Samuli Suominen (RETIRED) gentoo-dev

2014-04-11 09:23:42 UTC

First one should be... "all users are recommended to upgrade to latest"... albeit it will pull in 1.6 nowdays, but that's irrelevant, so:

emerge --ask --oneshot --verbose ">=media-libs/libpng-1.5.10:0"

second... "all slot 1.5 users should..."

emerge --ask --oneshot --verbose ">=media-libs/libpng-1.5.10:1.5"

third... "all 1.2 slot users should..."

emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.49:1.2"

Comment 6 Frank Krömmelbein 2014-04-11 10:24:58 UTC

Same here, and some more wrong GLSAs

glsa-check -t all
This system is affected by the following GLSAs:
201209-02
201206-15
201010-01

glsa-check -p 201209-02
Checking GLSA 201209-02
>>> No upgrade path exists for these packages:
     media-libs/tiff-3.9.7-r1

glsa-check -p 201206-15
Checking GLSA 201206-15
>>> No upgrade path exists for these packages:
     media-libs/libpng-1.2.51

glsa-check -p 201010-01
Checking GLSA 201010-01
>>> No upgrade path exists for these packages:
     media-libs/libpng-1.2.51


eix -Ic libpng
[I] media-libs/libpng (1.2.51(1.2)@11.04.2014 1.6.10@11.04.2014): Portable Network Graphics library

eix -Ic tiff
[I] media-libs/tiff (3.9.7-r1(3)@08.04.2014 4.0.3-r6@23.03.2014): Tag Image File Format (TIFF) library

The latest packages for all slots are already installed. Also all are marked as stable.

Comment 7 Frank Krömmelbein 2014-05-18 12:22:42 UTC

GLSA is still broken and reports wrong positives...
Has really no one interest to resolve this errors?

Comment 8 David Flogeras 2014-06-02 12:42:57 UTC

Created attachment 378064 [details, diff]
Update to glsa

This got rid of the (false) glsa warning on my setup

Comment 9 Sergey Popov gentoo-dev

2014-06-02 14:07:56 UTC

Thanks guys, fixes commited

Comment 10 Frank Krömmelbein 2014-06-02 17:09:50 UTC

@David Flogeras & Sergey Popov 
Thank you very much for fixing this nasty bug!


glsa-check -t all
This system is not affected by any of the listed GLSAs