Bug 3264

Summary: Updated libpng package to fix several CVE issues
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libpng-1.2.46-1.mga1 CVE:
Status comment:

Description Funda Wang 2011-11-04 14:16:36 CET 
Some vulnerabilities were discovered and corrected in libpng:

* All released versions of libpng (from 1.0 onward) have a buffer overrun in the code that promotes palette images with transparency (1 channel) to grayscale+alpha images (2 channels), but only for applications that call png_rgb_to_gray() and not png_set_expand(). (None are known.) An arbitrary amount of memory may be overwritten in this case, with arbitrary (attacker-controlled) data. This vulnerability has been assigned ID CVE-2011-2690. 

* libpng 1.2.20 and later crashes in png_default_error() due to internal use of a NULL pointer instead of the empty string (""). This vulnerability has been assigned ID CVE-2011-2691. 

* Many (most?) versions of libpng read uninitialized memory when handling empty sCAL chunks, and they handle malformed sCAL chunks (those lacking a delimiting NULL between the internal strings) incorrectly. This vulnerability has been assigned ID CVE-2011-2692.

The updated packages have been updated to latest stable version to correct these
issues, plus other bug fixes.
Comment 1 Funda Wang 2011-11-04 14:17:48 CET 
@distrib-admins, the reason I updated the version rather using CVE patches, is that most other distros are upgrading rather patches for these issues.
Comment 2 Manuel Hiebel 2011-11-04 16:15:21 CET 
Hello, duplicate of bug 3263 no ? :)
Comment 3 Funda Wang 2011-11-04 16:49:00 CET 
*** Bug 3263 has been marked as a duplicate of this bug. ***
Comment 4 Dave Hodgins 2011-11-05 20:56:42 CET 
Testing complete on i586 for the srpm
libpng-1.2.46-1.mga1.src.rpm

No POC, so just confirming xv *.png works.

CC: (none) => davidwhodgins

Comment 5 claire robinson 2011-11-07 12:01:41 CET 
Tested OK x86_64

Advisory
-----------------
Some vulnerabilities were discovered and corrected in libpng:

* All released versions of libpng (from 1.0 onward) have a buffer overrun in
the code that promotes palette images with transparency (1 channel) to
grayscale+alpha images (2 channels), but only for applications that call
png_rgb_to_gray() and not png_set_expand(). (None are known.) An arbitrary
amount of memory may be overwritten in this case, with arbitrary
(attacker-controlled) data. This vulnerability has been assigned ID
CVE-2011-2690. 

* libpng 1.2.20 and later crashes in png_default_error() due to internal use of
a NULL pointer instead of the empty string (""). This vulnerability has been
assigned ID CVE-2011-2691. 

* Many (most?) versions of libpng read uninitialized memory when handling empty
sCAL chunks, and they handle malformed sCAL chunks (those lacking a delimiting
NULL between the internal strings) incorrectly. This vulnerability has been
assigned ID CVE-2011-2692.

The updated packages have been updated to latest stable version to correct
these issues, plus other bug fixes.
-------------------

SRPM: libpng-1.2.46-1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2011-11-07 18:21:50 CET 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED