Bug 13001

Summary: libpng new security issue CVE-2014-0333
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, marc.lattemann, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/590376/
Whiteboard: MGA4-32-OK MGA4-64-OK advisory
Source RPM: libpng-1.6.8-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-12 16:28:17 CET 
OpenSuSE has issued an advisory today (March 12):
http://lists.opensuse.org/opensuse-updates/2014-03/msg00029.html

Only libpng 1.6.x is affected, so Mageia 3 is not affected.

Patched packages uploaded for Mageia 4 and Cauldron.

Note to QA: there is information about reproducing the issue on the SuSE bug:
https://bugzilla.novell.com/show_bug.cgi?id=866298

Advisory:
========================

Updated libpng packages fix security vulnerability:

The png_push_read_chunk function in pngpread.c in the progressive decoder in
libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of
service (infinite loop and CPU consumption) via an IDAT chunk with a length of
zero (CVE-2014-0333).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0333
http://lists.opensuse.org/opensuse-updates/2014-03/msg00029.html
========================

Updated packages in core/updates_testing:
========================
libpng16_16-1.6.8-1.1.mga4
libpng-devel-1.6.8-1.1.mga4

from libpng-1.6.8-1.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-12 18:28:22 CET

URL: (none) => http://lwn.net/Vulnerabilities/590376/

Comment 1 Marc Lattemann 2014-03-12 23:56:11 CET 
thanks for the link, David.

bug could be reproduced after following https://bugzilla.novell.com/show_bug.cgi?id=866298#c8 (see also attachment at that bug-report)

prior update:
[marc@localhost Downloads]$ gcc -D LIBPNG16 -o progrpng progrpng.c -lpng16
[marc@localhost Downloads]# ./progrpng bug-866298_zero-idat.png 
Reading PNG File bug-866298_zero-idat.png
^C
[marc@localhost Downloads]$
leads to 100%CPU 

after update:
[marc@localhost Downloads]$ gcc -D LIBPNG16 -o progrpng progrpng.c -lpng16
[marc@localhost Downloads]$ ./progrpng bug-866298_zero-idat.png 
Reading PNG File bug-866298_zero-idat.png
libpng warning: IDAT: CRC error
error: Not enough compressed data
[marc@localhost Downloads]$

tested successfully for mga4 32bit

CC: (none) => marc.lattemann
Whiteboard: (none) => MGA4-32-OK

Comment 2 Marc Lattemann 2014-03-13 00:06:07 CET 
tested successfully for mga4 64bit as well.

After Advisory from Comment #0 is uploaded, it could be validated and pushed to core_updates.

Thanks

Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 3 Dave Hodgins 2014-03-13 21:01:08 CET 
Advisory added to svn. Validating the update.

Someone from the sysadmin team please push 13001.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Thomas Backlund 2014-03-15 17:36:23 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0131.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED