Bug 23307

Summary: libpng, libpng12 new security issue CVE-2018-13785
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, lewyssmith, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: libpng-1.6.34-1.mga7.src.rpm, libpng12-1.2.57-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-07-16 20:07:37 CEST 
Ubuntu has issued an advisory on July 11:
https://usn.ubuntu.com/3712-1/

The Ubuntu CVE page has a link to the upstream commit that fixed it:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13785.html

According to their comments there, the issue was introduced some time after 1.6.20, so Mageia 5 and Mageia 6 may or may not be affected.
Comment 1 Marja Van Waes 2018-07-17 15:24:58 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Comment 2 David Walser 2018-08-02 18:01:01 CEST 
According to the RedHat bug, older libpng branches are also affected:
https://bugzilla.redhat.com/show_bug.cgi?id=1599943

Source RPM: libpng-1.6.34-1.mga7.src.rpm => libpng-1.6.34-1.mga7.src.rpm, libpng12-1.2.57-2.mga6.src.rpm
Summary: libpng new security issue CVE-2018-13785 => libpng, libpng12 new security issue CVE-2018-13785

Comment 3 Rémi Verschelde 2018-11-22 20:04:35 CET 
Fixed in Cauldron as David Geiger updated to 1.6.35 a month ago. I'll do the update for Mageia 6.

Version: Cauldron => 6

Comment 4 Rémi Verschelde 2018-11-22 20:05:51 CET 
Ah I missed that libpng12 may be affected too.

Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron

Comment 5 Rémi Verschelde 2018-11-22 20:24:35 CET 
Fixed in Cauldron with libpng-1.6.35-1.mga7 and libpng12-1.2.59-1.mga7.

Pushing same packages for Mageia 6.

Advisory:
=========

Updated libpng and libpng12 packages fix security vulnerability

  In libpng until version 1.6.35, a wrong calculation of row_factor in the
  png_check_chunk_length function (pngrutil.c) may trigger an integer
  overflow and resultant divide-by-zero while processing a crafted PNG file,
  leading to a denial of service. (CVE-2018-13785)

  This update fixes it, also providing the current maintenance releases in the
  1.2 and 1.6 stable branches.

References:
 - https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-13785.html

SRPMs in core/updates_testing:
==============================

libpng-1.6.35-1.mga6
libpng12-1.2.59-1.mga6

RPMs in core/updates_testing:
=============================

lib(64)png16_16-1.6.35-1.mga6
lib(64)png-devel-1.6.35-1.mga6

lib(64)png12_0-1.2.59-1.mga6
lib(64)png12-devel-1.2.59-1.mga6

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: rverschelde => qa-bugs

Comment 6 Herman Viaene 2018-11-23 16:26:45 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to  bug 20048 for tests:
Opened jpg file with GIMP, exported to png, closed GIMP and viewed png file witg eom: OK
Installed xv and pngtools as testing tools.
$ convert 34815267.png 34815267.pcx
Opened pcx file with LibreOffice Draw: looks OK.
$ convert dsc00107.jpg dsc00107.png
Opened png file with eom: OK.
$ pnginfo dsc00107.png 
dsc00107.png...
  Image Width: 3072 Image Length: 2304
  Bitdepth (Bits/Sample): 8
  Channels (Samples/Pixel): 3
  Pixel depth (Pixel Depth): 24
  Colour Type (Photometric Interpretation): RGB 
  Image filter: Single row per byte filter 
  Interlacing: No interlacing 
  Compression Scheme: Deflate method 8, 32k window
  Resolution: 2834, 2834 (pixels per meter)
  FillOrder: msb-to-lsb
  Byte Order: Network (Big Endian)
  Number of text strings: 0 of 0
$ pngcp dsc00107.png ~/tmp/copy1.png
Copy looks OK in eom
$ xv dsc00107.png
The large image displayed fine, and supported various re-sizings.

Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 7 Thomas Andrews 2018-11-23 17:17:53 CET 
Both arches are installed on my 64-bit Plasma system. I am assuming the 32-bit packages are installed due to the presence of an old 32-bit Google Earth, even though it is not on either list that "urpmq --whatrequires" produces.

Packages installed cleanly. Used The Gimp to view some png images that I had saved several years ago. All looked good. Same with several images in Libreoffice Draw. 

Looks good for 64-bit, too. Validating. Advisory in Comment 5.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2018-11-27 10:05:40 CET

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-11-27 16:27:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0468.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED