Bug 28331

Summary: pngcheck new security issues rhbz#1907428 and rhbz#1908559
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, mageia, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Source RPM: pngcheck-3.0.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-02-09 15:50:35 CET 
Fedora has issued an advisory today (February 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XTD56567QSWLCTKBJNTCF6HB5GLJZCHX/

Mageia 7 is also affected.
David Walser 2021-02-09 15:50:51 CET

Status comment: (none) => Patches available from Fedora
Whiteboard: (none) => MGA7TOO

David Walser 2021-02-10 16:37:27 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 1 Aurelien Oudelet 2021-02-10 17:14:01 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => zen25000
CC: (none) => ouaurelien

Comment 2 Barry Jackson 2021-02-10 22:46:05 CET 
pngcheck-3.0.2-1.mga8 has peen pushed to 8/core/updates_testing

#####################
Advisory

This update fixes a buffer-overrun bug related to the MNG LOOP chunk
(which gets noticed even in PNG files if the -s option is used).
This bug is fixed in version 3.0.2, released on 31 January 2021.

#####################
References

Fedora issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XTD56567QSWLCTKBJNTCF6HB5GLJZCHX/

####################
Files affected

pngcheck-3.0.2-1.mga8.i586
pngcheck-debuginfo-3.0.2-1.mga8.i586
pngcheck-debugsource-3.0.2-1.mga8.i586

pngcheck-3.0.2-1.mga8.x86_64
pngcheck-debuginfo-3.0.2-1.mga8.x86_64
pngcheck-debugsource-3.0.2-1.mga8.x86_64

Provided by:

pngcheck-3.0.2-1.mga8.src.rpm


####################
Testing

A set of good and faulty .png files are available here:

http://www.schaik.com/pngsuite/PngSuite-2017jul19.tgz
(Extract to a new folder there are a lot!)
Comment 3 Barry Jackson 2021-02-10 22:47:57 CET 
pngcheck-3.0.2-1.mga7 has peen pushed to 7/core/updates_testing

#####################
Advisory

This update fixes a buffer-overrun bug related to the MNG LOOP chunk
(which gets noticed even in PNG files if the -s option is used).
This bug is fixed in version 3.0.2, released on 31 January 2021.

#####################
References

Fedora issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XTD56567QSWLCTKBJNTCF6HB5GLJZCHX/

####################
Files affected

pngcheck-3.0.2-1.mga7.i586
pngcheck-debuginfo-3.0.2-1.mga7.i586
pngcheck-debugsource-3.0.2-1.mga7.i586

pngcheck-3.0.2-1.mga7.x86_64
pngcheck-debuginfo-3.0.2-1.mga7.x86_64
pngcheck-debugsource-3.0.2-1.mga7.x86_64

Provided by:

pngcheck-3.0.2-1.mga7.src.rpm


####################
Testing

A set of good and faulty .png files are available here:

http://www.schaik.com/pngsuite/PngSuite-2017jul19.tgz
(Extract to a new folder there are a lot!)
Barry Jackson 2021-02-10 22:50:34 CET

Assignee: zen25000 => qa-bugs

Comment 4 David Walser 2021-02-10 22:53:45 CET 
Unless you can convince someone to push this into mga8 core/release, it'll have to wait until we've branched.

Status comment: Patches available from Fedora => Patched in SVN
Assignee: qa-bugs => zen25000

Comment 5 Nicolas Lécureuil 2021-02-27 01:27:44 CET 
pushed in mga8

src:
    pngcheck-3.0.2-1.mga8

CC: (none) => mageia
Assignee: zen25000 => qa-bugs

David Walser 2021-02-27 01:48:12 CET

Status comment: Patched in SVN => (none)
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Comment 6 Brian Rockwell 2021-03-04 15:50:32 CET 
MGA8 

The following package is going to be installed:

- pngcheck-3.0.2-1.mga8.x86_64


---

$ pngcheck -t dolley.png

$ pngcheck -v dolley.png


no errors - still working

CC: (none) => brtians1
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 7 PC LX 2021-03-05 11:38:13 CET 
Installed and tested without issues.


Tested using find on many png files. No issues noticed.
$ find ~/ -ipath '*.png' -exec pngcheck -cq '{}' '+'


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.19-desktop-1.mga7 #1 SMP Fri Feb 26 23:48:09 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q pngcheck 
pngcheck-3.0.2-1.mga7

CC: (none) => mageia
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK

Comment 8 Aurelien Oudelet 2021-03-05 14:05:45 CET 
Validating.
Advisory pushed to SVN.

Advisory:
========================

Updated pngcheck packages fix security vulnerabilities 

This update fixes a buffer-overrun bug related to the MNG LOOP chunk
(which gets noticed even in PNG files if the -s option is used).

It also fixes a buffer overrun for certain invalid MNG PPLT chunk contents.

References
- https://bugs.mageia.org/show_bug.cgi?id=28331
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XTD56567QSWLCTKBJNTCF6HB5GLJZCHX
========================

Updated packages in core/updates_testing:
========================
pngcheck-3.0.2-1.mga7
pngcheck-debuginfo-3.0.2-1.mga7
pngcheck-debugsource-3.0.2-1.mga7

pngcheck-3.0.2-1.mga8
pngcheck-debuginfo-3.0.2-1.mga8
pngcheck-debugsource-3.0.2-1.mga8

from SRPMS
pngcheck-3.0.2-1.mga7.src.rpm
pngcheck-3.0.2-1.mga8.src.rpm

Keywords: Triaged => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2021-03-05 17:17:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0115.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED