Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 410153 (CVE-2011-3045) - <media-libs/libpng-{1.2.49,1.5.10}: Multiple Vulnerabilities (CVE-2011-{3045,3048)
Summary: <media-libs/libpng-{1.2.49,1.5.10}: Multiple Vulnerabilities (CVE-2011-{3045,...
Status: RESOLVED FIXED
Alias: CVE-2011-3045
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://libpng.git.sourceforge.net/git...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-29 14:08 UTC by Thomas Deutschmann
Modified: 2012-06-22 11:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2012-03-29 14:08:51 UTC
Hi,

please see <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045>. This affects *every* lipng version. It a different vulnerability than CVE-2011-3026.

Some hours ago, they release libpng-1.5.10 which contains a fix: <http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=d5a80e094465b2feb448e8d291ea696dc408a097>

Reproducible: Always



Expected Results:  
Bump media-libs/libpng to 1.5.10.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-03-29 14:38:02 UTC
Thanks for the bug, Thomas.
Comment 2 Samuli Suominen gentoo-dev 2012-03-29 17:14:23 UTC
There is no apng patch for 1.5.10 release out yet, and the patch for 1.5.9 doesn't apply because:

1.5.10 would like to #define PNG_HAVE_iCCP to 0x4000 in pngpriv.h, and apng patch for 1.5.9 would like to #define PNG_HAVE_acTL to the same 0x4000 value.

I'm inclined to wait for official apng 1.5.10 patch here.
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2012-03-30 16:58:47 UTC
New apng patch is now available at the usual place...
Comment 4 Samuli Suominen gentoo-dev 2012-03-30 17:35:21 UTC
Please test and stabilize:

=media-libs/libpng-1.2.49 "amd64 x86"
=media-libs/libpng-1.5.10 "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Jeroen Roovers gentoo-dev 2012-03-31 16:29:51 UTC
Stable for HPPA.
Comment 6 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2012-03-31 17:48:30 UTC
amd64/hardened/mixed: ok (emerges fine, I also tested few rdeps).
Comment 7 Agostino Sarubbo gentoo-dev 2012-04-02 16:42:26 UTC
amd64 stable
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2012-04-03 11:57:50 UTC
x86 stable. Thanks
Comment 9 SpanKY gentoo-dev 2012-04-04 16:01:14 UTC
arm/ia64/m68k/s390/sh done
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-04-05 01:53:24 UTC
CVE-2011-3045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3045):
  Integer signedness error in pngrutil.c in libpng before 1.4.10beta01, as
  used in Google Chrome before 17.0.963.83 and other products, allows remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via a crafted PNG file, a different vulnerability
  than CVE-2011-3026.
Comment 11 Michael Harrison 2012-04-06 09:56:05 UTC
(CVE-2012-3048)
This seemed pertinent to add as it applies to the same versions
http://secunia.com/advisories/48587/

A vulnerability has been reported in libpng, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to an error within the "png_set_text_2()" function (pngset.c) when parsing certain text chunks and can be exploited to corrupt heap memory via a specially crafted PNG file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 1.5.10, 1.4.11, 1.2.49, and 1.0.59.

Solution
Update to version 1.5.10, 1.4.11, 1.2.49, or 1.0.59.
Comment 12 Brent Baude (RETIRED) gentoo-dev 2012-04-16 17:58:58 UTC
ppc done
Comment 13 Brent Baude (RETIRED) gentoo-dev 2012-04-17 21:22:25 UTC
ppc64 done
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2012-04-28 18:58:32 UTC
alpha/sparc stable
Comment 15 Sean Amoss gentoo-dev Security 2012-04-29 10:52:20 UTC
Thanks, everyone. Already on existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 18:45:56 UTC
CVE-2011-3048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3048):
  The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x
  before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote
  attackers to cause a denial of service (crash) or execute arbitrary code via
  a crafted text chunk in a PNG image file, which triggers a memory allocation
  failure that is not properly handled, leading to a heap-based buffer
  overflow.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-06-22 11:07:28 UTC
This issue was resolved and addressed in
 GLSA 201206-15 at http://security.gentoo.org/glsa/glsa-201206-15.xml
by GLSA coordinator Sean Amoss (ackle).