Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 123286 - media-gfx/pngcrush: multiple vulnerabilities
Summary: media-gfx/pngcrush: multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2006-02-18 08:02 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-03-21 05:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-02-18 08:02:30 UTC
These applications include a slightly modified zlib and also libpng, both outdated and vulnerable (see relevant GLSAs). optipng-0.5 and pngcrush-1.6.2 need to go stable.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-18 08:24:28 UTC
optipng is safe, had already been fixed (somebody bumped it without my permission, but it still is safe).
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-02-21 10:45:16 UTC
Hm. pngcrush is no-herd. Carsten, Tavis, graphics herd, any takers ?
Comment 3 Marcelo Goes (RETIRED) gentoo-dev 2006-02-21 10:55:10 UTC
Bumped to 1.6.2 in cvs.
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-21 11:02:39 UTC
(In reply to comment #2)
> Hm. pngcrush is no-herd. Carsten, Tavis, graphics herd, any takers ?

Committed before I filed the bug.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-02-22 10:00:45 UTC
Arches please test and mark pngcrush-1.6.2 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-22 11:48:14 UTC
ppc stable
Comment 7 Joshua Jackson (RETIRED) gentoo-dev 2006-02-22 22:31:49 UTC
x86 stable
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-24 07:13:08 UTC
From upstream homepage: Pngcrush, when statically linked to the supplied zlib code, is believed to be immune to the zlib-1.1.3 "double-free" bug, since by default it detects and rejects any "double-free" attempt. It merely generates a "Decompression Error" message and rejects the file.

So, do we believe that, too (-> only libpng issues left)?
Comment 9 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-24 07:28:14 UTC
Yes, but there's also been the zlib heap overflow since then, and pngcrush is definitely vulnerale to that:

$ pngcrush -q zlib-testcase.png foo.png
While converting zlib-testcase.png to foo.png:
  pngcrush caught libpng error:
   incomplete literal/length tree

Segmentation fault (core dumped)

I have a testcase png image here
Comment 10 Simon Stelling (RETIRED) gentoo-dev 2006-02-27 10:43:58 UTC
i can confirm the segfault in comment #9, think this should go back to ebuild status. or is it a different issue and should i mark it stable on amd64 nevertheless?
Comment 11 Marcelo Goes (RETIRED) gentoo-dev 2006-02-27 18:10:01 UTC
I can confirm the segfault, too. I had a look at the zlib code included with pngcrush-1.6.2 and indeed it is version 1.2.3. So, I don't know what to do/where to look.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-28 08:17:32 UTC
blubb, vanquirius: does the segfault happen with the latest patches and security fixes applied (afaik, that should be version 1.6.2)?
Comment 13 Marcelo Goes (RETIRED) gentoo-dev 2006-02-28 14:55:02 UTC
Yup. Which is not a good thing.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-01 08:03:47 UTC
Ok, taviso had a look at it and stated that this is nothing with a security impact. Do you (arches) think this is minor enough to ignore, so you can stable nevertheless? If not, I'll put it back to ebuild status.
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2006-03-01 13:48:39 UTC
yeah, i think so. would be nice to get it fixed nevertheless though

marked stable
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-21 05:34:55 UTC
Carsten thanks for reporting (again).

GLSA 200603-18