media-gfx/pngcrush bundles a slightly modified libpng (version libpng-1.2.9rc1 in case of pngcrush-1.6.4) and is as such vulnerable to CVE-2008-1382, as noted explicitly in the libpng advisory (user _mika submitted the link yesterday in #gentoo-security, so I took a look). We already have the latest pngcrush version in the tree (1.6.4 from June 2006), so one either has to upgrade the bundled libpng or switch to using the external one (which is, according to the upstream homepage, possible, but possibly has some drawbacks; I have not tried to test it myself). For properly rating this vulnerability, we'd probably have to check if other libpng vulnerabilities were discovered after libpng-1.2.9rc1 and affected pngcrush as such. drac already said he'd have a look today. (The advisory also mentions imagemagick, but in our case it uses the system libpng (dynamically loaded, not linked), so it should be fine). The original libpng issue was handled in bug 217047.
Yet another attempt at setting whiteboard (security, let me know if it annoys you more than it helps :p). B as pngcrush is certainly not that common, 2 since it allows for (controlled?) memory overwrite. Setting [ebuild] as it is very unlikely that upstream releases something after two years of inactivity and as the easiest way to solve it is probably using the system libpng (and maybe zlib as well, while we are at it?).
*pngcrush-1.6.4-r1 (23 Apr 2008) 23 Apr 2008; Samuli Suominen <drac@gentoo.org> +files/pngcrush-1.6.4-modified-debian-patchset-5.patch, +pngcrush-1.6.4-r1.ebuild: Stop including vulnerable libpng, and use system libpng instead. Debian mirrors a tarball with included libpng files deleted, so we are using that one applying Debian patchset -5 on top of it. After that we fix the remaining issues from Makefile. Thanks to _mika and hoffie from #gentoo-security at Freenode.
(In reply to comment #2) > *pngcrush-1.6.4-r1 (23 Apr 2008) > > 23 Apr 2008; Samuli Suominen <drac@gentoo.org> > +files/pngcrush-1.6.4-modified-debian-patchset-5.patch, > +pngcrush-1.6.4-r1.ebuild: > Stop including vulnerable libpng, and use system libpng instead. Debian > mirrors a tarball with included libpng files deleted, so we are using that > one applying Debian patchset -5 on top of it. After that we fix the > remaining issues from Makefile. Thanks to _mika and hoffie from > #gentoo-security at Freenode. bleah that looked fugly plus we have this bug, *pngcrush-1.6.4-r1 (23 Apr 2008) 23 Apr 2008; Samuli Suominen <drac@gentoo.org> +files/pngcrush-1.6.4-modified-debian-patchset-5.patch, +pngcrush-1.6.4-r1.ebuild: Use system libpng wrt security #219033, thanks to _mika and hoffie. Using modified Debian patchset -5. >
Arches, please test and mark stable: =media-gfx/pngcrush-1.6.4-r1 Target keywords : "amd64 ppc release x86"
amd64 stable, thanks to gentoofan23 for testing
x86 stable
ppc stable
Fixed in release snapshot.
glsa request filed
GLSA 200805-10
