Bug 15393

Update checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated pngcrush package fixes security vulnerability:

pngcrush-1.7.84 fixes defects reported by Coverity-scan, so it should be more
resistant to crashes due to malformed input files, such as the one presented
in CVE-2015-2158.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2158
http://sourceforge.net/p/pmt/news/2015/02/pngcrush-1784-released/
http://openwall.com/lists/oss-security/2015/03/01/1
========================

Updated packages in core/updates_testing:
========================
pngcrush-1.7.84-1.mga4

from pngcrush-1.7.84-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Created attachment 6021 [details]
PoC concerning pngcrush


Testing on Mageia 4x64 real hardware

Using PoC mentioned in http://openwall.com/lists/oss-security/2015/02/28/6
(see attachment)

From current package :
--------------------
pngcrush-1.7.66-2.mga4

Tested 2 commands : 

# pngcrush -reduce -brute test.png test_reduced.png
# pngcrush -rem allb test.png test_rem.png
with a test.png

Both gave a warning :
Warning: versions are different between png.h and png.c
  png.h version: 1.6.6
  png.c version: 1.6.16
But performed well.

Tested PoC :
# pngcrush -fix -force test203 /dev/null
(...)
Reading 0000 chunk.
  width=0
  height=0
  ticksps=0
  nomlayc=0
  nomfram=0
  nomplay=0
  profile=0

While measuring IDATs in test203 pngcrush caught libpng error:
   Read Error

   Recompressing test203
   Total length of data found in critical chunks =        0

While measuring IDATs in /dev/null pngcrush caught libpng error:
   Read Error

   Recompressing /dev/null
   Total length of data found in critical chunks =        0
   CPU time decoding 0.000, encoding 0.000, other 0.000, total 0.000 seconds

Could not reproduce the segmentation fault.

To updated testing package :
--------------------------
pngcrush-1.7.84-1.mga4
# pngcrush -reduce -brute test.png test_reduced.png
# pngcrush -rem allb test.png test_rem.png

Went well and no more warning about different versions

PoC
# pngcrush -fix -force test203 /dev/null
Reading 0000 chunk.

While measuring IDATs in test203 pngcrush caught libpng error:
   Read Error: invalid length requested

   Recompressing IDAT chunks in test203
   Total length of data found in critical chunks            =         0

While measuring IDATs in /dev/null pngcrush caught libpng error:
   Read Error: invalid length returned

   Recompressing IDAT chunks in /dev/null
   Total length of data found in critical chunks            =         0
   CPU time decoding 0.000, encoding 0.000, other 0.000, total 0.000 sec.

No segmentation either.

OK

CC: (none) => olchal

Thanks for the testcases.  I did the same initial 2 tests and got the same performance and reduction % before and after the update.  I also did the PoC tests, could not reproduce a segfault, and got the same output before and after the update as Olivier.  Marking OK on Mageia 4 i586.

It's possible the segfault only happened in some versions between the version we had (1.7.66) and the updated version (1.7.84), but it's good to get the rest of the Coverity-scan fixes for other test cases that we don't have access to.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Advisory uploaded, validating. Please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0101.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED