676680 – (CVE-2019-6129) <media-libs/libpng-1.6.39: multiple vulnerabilities

Bug 676680 (CVE-2019-6129) - <media-libs/libpng-1.6.39: multiple vulnerabilities

Summary: <media-libs/libpng-1.6.39: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2019-6129

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	888445
Blocks:
	Show dependency tree

Reported:	2019-01-29 01:32 UTC by psp
Modified:	2022-12-26 20:29 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description psp 2019-01-29 01:32:42 UTC

png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. 

Upstream:
https://github.com/glennrp/libpng/issues/269

Comment 1 Yury German Gentoo Infrastructure

2019-04-27 06:39:33 UTC

Maintainers please advise if this is fixed in the current stabilization: media-libs/libpng-1.6.37

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-27 11:59:52 UTC

This is an error in media-gfx/pngtools, not in media-libs/libpng.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2021-01-28 00:54:37 UTC

Disputed upstream and minor impact if any as noted by upstream devs.

Comment 4 Sam James archtester

2022-11-21 07:12:05 UTC

(In reply to Thomas Deutschmann (RETIRED) from comment #2)
> This is an error in media-gfx/pngtools, not in media-libs/libpng.

libpng has in its 1.6.39 release notes:
"""
Changes from version 1.6.38 to version 1.6.39
---------------------------------------------

 * Changed the error handler of oversized chunks (i.e. larger than
   PNG_USER_CHUNK_MALLOC_MAX) from png_chunk_error to png_benign_error.
 * Fixed a buffer overflow error in contrib/tools/pngfix.
 * Fixed a memory leak (CVE-2019-6129) in contrib/tools/pngcp.
 * Disabled the ARM Neon optimizations by default in the CMake file,
   following the default behavior of the configure script.
 * Allowed configure.ac to work with the trunk version of autoconf.
 * Removed the support for "install" targets from the legacy makefiles;
   removed the obsolete makefile.cegcc.
 * Cleaned up the code and updated the internal documentation.
"""

Commit: https://github.com/glennrp/libpng/commit/8a5732fcb30b8afc4d3c23144acf2b502bb80122.

Comment 5 Larry the Git Cow gentoo-dev

2022-11-21 08:14:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5a70f4df7b0f6d27095900c2fa9073d393bb88e

commit d5a70f4df7b0f6d27095900c2fa9073d393bb88e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-21 07:19:20 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-21 08:08:01 +0000

    media-libs/libpng: add 1.6.39
    
    Bug: https://bugs.gentoo.org/676680
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libpng/Manifest             |  1 +
 media-libs/libpng/libpng-1.6.39.ebuild | 51 ++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

Comment 6 John Helmert III archtester

2022-12-26 20:29:08 UTC

Multiple vulnerabilities due to the pngfix buffer overflow fix. That binary is installed in Gentoo, but I don't think it's worth a GLSA. So, all done.