Summary: | <media-libs/libpng-1.6.39: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | psp <gentoo-bugzilla> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | base-system, codec, graphics+disabled, robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6129 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 888445 | ||
Bug Blocks: |
Description
psp
2019-01-29 01:32:42 UTC
Maintainers please advise if this is fixed in the current stabilization: media-libs/libpng-1.6.37 This is an error in media-gfx/pngtools, not in media-libs/libpng. Disputed upstream and minor impact if any as noted by upstream devs. (In reply to Thomas Deutschmann (RETIRED) from comment #2) > This is an error in media-gfx/pngtools, not in media-libs/libpng. libpng has in its 1.6.39 release notes: """ Changes from version 1.6.38 to version 1.6.39 --------------------------------------------- * Changed the error handler of oversized chunks (i.e. larger than PNG_USER_CHUNK_MALLOC_MAX) from png_chunk_error to png_benign_error. * Fixed a buffer overflow error in contrib/tools/pngfix. * Fixed a memory leak (CVE-2019-6129) in contrib/tools/pngcp. * Disabled the ARM Neon optimizations by default in the CMake file, following the default behavior of the configure script. * Allowed configure.ac to work with the trunk version of autoconf. * Removed the support for "install" targets from the legacy makefiles; removed the obsolete makefile.cegcc. * Cleaned up the code and updated the internal documentation. """ Commit: https://github.com/glennrp/libpng/commit/8a5732fcb30b8afc4d3c23144acf2b502bb80122. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5a70f4df7b0f6d27095900c2fa9073d393bb88e commit d5a70f4df7b0f6d27095900c2fa9073d393bb88e Author: Sam James <sam@gentoo.org> AuthorDate: 2022-11-21 07:19:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-11-21 08:08:01 +0000 media-libs/libpng: add 1.6.39 Bug: https://bugs.gentoo.org/676680 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libpng/Manifest | 1 + media-libs/libpng/libpng-1.6.39.ebuild | 51 ++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) Multiple vulnerabilities due to the pngfix buffer overflow fix. That binary is installed in Gentoo, but I don't think it's worth a GLSA. So, all done. |