Bug 21963

Summary: libpng 1.6.34 bugfix update
Product: Mageia Reporter: Rémi Verschelde <rverschelde>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: libpng-1.6.29-1.mga6 CVE:
Status comment:

Description Rémi Verschelde 2017-10-29 17:47:00 CET 
Still need to check the changelogs and write an advisory, but there are various security-relevant points in libpng updates between our current 1.6.29 and the upstream 1.6.34.

RPMs in core/updates_testing:
=============================

libpng16_16-1.6.34-1.mga6
libpng-devel-1.6.34-1.mga6

SRPM in core/updates_testing:
=============================

libpng-1.6.34-1.mga6
Comment 1 Rémi Verschelde 2017-10-29 18:40:02 CET 
Actually not a security update, there was a security fix in 1.6.32 but for a bug introduced in 1.6.31, so our 1.6.29 was not affected.

Still, keeping this as a bugfix update.

QA Contact: security => (none)
Summary: libpng new security issues => libpng 1.6.34 bugfix update
Component: Security => RPM Packages

Comment 2 Len Lawrence 2017-10-30 20:42:28 CET 
Mageia 6 for x86_64

Used mana update for this and selected lib64png16_16, which pulled in the development package.
Lots of things use this including firefox, which I restarted.
$ urpmq --whatrequires lib64png16_16 | sort -u | wc -l
432
vlc for a start, probably for the interface icons.
$ strace vlc HowToBarterOnline_FrenchMaidTV.m4v 2> trace
$ cat trace | grep png
stat("/usr/lib64/vlc/plugins/codec/libpng_plugin.so", {st_mode=S_IFREG|0755, st_size=15528, ...}) = 0
open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3

emacs.  emacs is my preferred editor and is being used to prepare this report.

Used eom to display an image directory.
$ cat trace | grep png
open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libpng16.so.16.34.0", O_RDONLY) = 3
open("/usr/share/eom/pixmaps/thumbnail-frame.png", O_RDONLY) = 12
stat("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", {st_mode=S_IFREG|0755, st_size=24368, ...}) = 0
open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", O_RDONLY|O_CLOEXEC) = 14
open("/usr/share/icons/mate/24x24/actions/go-previous.png", O_RDONLY) = 14

virtualbox needs it, imagemagick, graphicksmagic, blender and a number of games.
These tests should be enough to show that it works fine.

CC: (none) => tarazed25

Len Lawrence 2017-10-30 20:42:42 CET

Whiteboard: (none) => MGA6-64-OK

Comment 3 Len Lawrence 2017-10-30 23:46:30 CET 
Mageia 6 for i586 in virtualbox

Updated libpng and used a few dependent applications to test it.

Used imagemagick to convert a set of JPEGS to PNG format.
$ convert TheUninvited_*.jpg png:TheUninvited
$ file * | grep PNG
TheUninvited-0:          PNG image data, 600 x 402, 8-bit/color RGB, non-interlaced
...................
$ strace eom TheUninvited-2 2> trace
$ cat trace | grep png
open("/lib/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3
read(8, "png\");\n}\n\nscale.horizontal.marks"..., 8192) = 8192
open("/usr/share/eom/pixmaps/thumbnail-frame.png", O_RDONLY|O_LARGEFILE) = 12

Ran vlc without problems.  

Verified that the ImageMagick jpg -> png conversions involved libpng16.

Good for 32 bits.
Len Lawrence 2017-10-30 23:47:03 CET

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 4 Lewis Smith 2017-11-02 09:45:14 CET 
Thanks Len for both tests.
Advisory made from comments 1-2. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-11-02 22:48:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2017-0104.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2020-09-30 23:12:37 CEST 
This update fixed CVE-2017-12652:
https://access.redhat.com/errata/RHSA-2020:3901