Bug 17304

These can be tested using xv (libpng12) and Firefox or GIMP (libpng).

Whiteboard: (none) => has_procedure

RedHat has issued an advisory for this today (December 9):
https://rhn.redhat.com/errata/RHSA-2015-2596.html

URL: (none) => http://lwn.net/Vulnerabilities/667312/

Another fix is upcoming in libpng12:
http://openwall.com/lists/oss-security/2015/12/10/7

libpng isn't affected, so feel free to proceed testing that one.

(In reply to David Walser from comment #3)
> Another fix is upcoming in libpng12:
> http://openwall.com/lists/oss-security/2015/12/10/7

This will be CVE-2015-8540:
http://openwall.com/lists/oss-security/2015/12/11/1

HI David,
let me know when next fix is in, I'll try it. 


Brian

CC: (none) => brtians1

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
libpng12_0 libpng16_16

default install of libpng12_0 & libpng16_16

[root@localhost wilcal]# urpmi libpng12_0
Package libpng12_0-1.2.54-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libpng16_16
Package libpng16_16-1.6.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi xv
Package xv-3.10a-15.mga5.nonfree.i586 is already installed
[root@localhost wilcal]# urpmi gimp
Package gimp-2.8.14-4.mga5.i586 is already installed

A png file created by a vlc video frame clip can be modified,
and saved, by xv as a png file. The same png file can be modified,
and saved, by gimp, as a png file.

install libpng12_0 & libpng16_16 from updates_testing

[root@localhost wilcal]# urpmi libpng12_0
Package libpng12_0-1.2.55-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libpng16_16
Package libpng16_16-1.6.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi xv
Package xv-3.10a-15.mga5.nonfree.i586 is already installed
[root@localhost wilcal]# urpmi gimp
Package gimp-2.8.14-4.mga5.i586 is already installed

A png file created by a vlc video frame clip can be modified,
and saved, by xv as a png file. The same png file can be modified,
and saved, by gimp, as a png file.

CC: (none) => wilcal.int
Whiteboard: has_procedure => has_procedure MGA5-32-OK

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
lib64png12_0 lib64png16_16

default install of lib64png12_0 & lib64png16_16

[root@localhost wilcal]# urpmi lib64png12_0
Package lib64png12_0-1.2.54-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64png16_16
Package lib64png16_16-1.6.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi xv
Package xv-3.10a-15.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# urpmi gimp
Package gimp-2.8.14-4.mga5.x86_64 is already installed

A png file created by a vlc video frame clip can be modified,
and saved, by xv as a png file. The same png file can be modified,
and saved, by gimp, as a png file.

install lib64png12_0 & lib64png16_16 from updates_testing

[root@localhost wilcal]# urpmi lib64png12_0
Package lib64png12_0-1.2.55-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64png16_16
Package lib64png16_16-1.6.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi xv
Package xv-3.10a-15.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# urpmi gimp
Package gimp-2.8.14-4.mga5.x86_64 is already installed

A png file created by a vlc video frame clip can be modified,
and saved, by xv as a png file. The same png file can be modified,
and saved, by gimp, as a png file.

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Yeah, go ahead with this update.  The fix for CVE-2015-8540 still hasn't landed, so I'll file another bug for that.

Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0473.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED