Summary: | <media-libs/libpng-{1.2.44,1.4.3}: Privilege escalation (CVE-2010-1205) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Samuli Suominen (RETIRED) <ssuominen> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, dominik, ole+gentoo, stefano.priore, tomka, xmw |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 305053, 305095, 319505, 319509, 319515, 319517, 319541, 319551, 320665, 322741, 322745, 322843, 322907, 324155, 325569 | ||
Bug Blocks: | 325503, 325819, 325847 |
Description
Samuli Suominen (RETIRED)
2010-06-15 16:11:55 UTC
test & stabilize: =media-libs/libpng-1.2.44 (amd64 and x86 should be enough for this version) =media-libs/libpng-1.4.2 (everyone) And the target keeps changing :-) Stabilize: =media-libs/libpng-1.2.44 (amd64 and x86 should be enough for this version) =media-libs/libpng-1.4.3 (everyone) <snip> Several versions of libpng through 1.4.2 (and through 1.2.43 in the older series) contain a bug whereby progressive applications such as web browsers (or the rpng2 demo app included in libpng) could receive an extra row of image data beyond the height reported in the header, potentially leading to an out-of-bounds write to memory (depending on how the application is written) and the possibility of execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site). This vulnerability has been assigned ID CVE-2010-1205 (via Mozilla). An additional memory-leak bug, involving images with malformed sCAL chunks, is also present; it could lead to an application crash (denial of service) when viewing such images. Both bugs are fixed in versions 1.4.3 and 1.2.44, released 25 June 2010. </snip> amd64 stable Stable for HPPA. It's probably just me, but the current 1.2.44 ebuild does not work for me on x86. It says "this ebuild is only for the libpng12.so.0 SONAME for ABI compat" and installs a libpng12.so.0 file only - no headers, no symlinks, nothing else. libpng-dependent applications won't compile with that. To reproduce: $ emerge --unmerge libpng $ emerge "=libpng-1.2.44" $ equery files libpng Is that an intended behaviour? (In reply to comment #5) > Is that an intended behaviour? Yes, you get the headers/symlink/... from 1.4.3 (which is pulled in by the upgrade). 1.2.44 is only for binary apps, like vmware-server. Archtested on x86: The rebuild went OK. I ran into a couple of already fixed issues and bug 320669, which is probably unrelated. (In reply to comment #6) > Yes, you get the headers/symlink/... from 1.4.3 (which is pulled in by the > upgrade). 1.2.44 is only for binary apps, like vmware-server. To me this is a disappointing solution. I mean, if I $ emerge "=libpng-1.2.44" I expect to get the whole thing. Especially if it's a critical bugfix release. In my mind, if I for some reason do not want to upgrade to 1.4 now then Gentoo shouldn't get in my way. As a personal solution I've cooked my own 1.2.44 ebuild from the 1.2.43-r2 ebuild, and it works fine. But this is a bit odd. Florian There is no reason to not upgrade to 1.4.3. Well. In my case I just wanted a quick bugfix and postpone a possible thorough revdep-rebuild until later. In the long run you are of course right. x86 stable, thanks Thomas, my rebuilts also went fine In my case revdep-rebuild showed only some non-critical packages depending on libpng12 (like obex). I still can't compile new packages. Using trial-and-error I figured to remerge cairo and pango but still lots of packages can't be merged. Then I made my own libpng:1.2 ebuild which has libpng12.so and libpng12.la and all problems went away. I want to stress this once again: revdep-rebuild showed none critical packages. I've had similar problems and reverted. I didn't have enough time to look at it, though. ppc64 stable Stable on alpha. arm/ia64/m68k/s390/sh/sparc stable Marked ppc stable. CVE-2010-1205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1205): Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row. Samuli: only change the whiteboard to glsa, after it was filed in our glsamaker tool. As only the security team adds glsas there, it's safe to say that you should never change the whiteboard to [glsa]. GLSA 201010-01 |