Bug 5169

Summary: libpng new security issue CVE-2011-3048
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, derekjenn, fundawang, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://www.libpng.org/pub/png/libpng.html
Whiteboard:
Source RPM: libpng-devel CVE:
Status comment:

Description David Walser 2012-03-30 04:18:07 CEST 
New versions of libpng have been released to fix this, 1.5.10 and 1.2.49.

Updates are needed for Mageia 1 and Cauldron.
David Walser 2012-03-30 04:18:20 CEST

CC: (none) => fundawang

Remco Rijnders 2012-03-30 06:53:36 CEST

Assignee: bugsquad => fundawang
Source RPM: libpng-1.2.48-1.mga1.src.rpm => libpng-devel

Comment 1 David Walser 2012-04-01 20:50:22 CEST 
Funda Wang has built an update for Mageia 1.  Cauldron has not been updated yet.

Advisory:
========================

Updated libpng packages fix security vulnerability:

libpng versions prior to 1.5.10, 1.4.11, 1.2.49, and 1.0.59
fail to correctly handle malloc() failure for text chunks
(in png_set_text_2()), which can lead to memory corruption and
the possibility of execution of hostile code (CVE-2011-3048).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
http://www.libpng.org/pub/png/libpng.html
========================

Updated packages in core/updates_testing:
========================
libpng-devel-1.2.49-1.mga1
libpng-source-1.2.49-1.mga1
libpng-static-devel-1.2.49-1.mga1
libpng3-1.2.49-1.mga1

from libpng-1.2.49-1.mga1.src.rpm
Comment 2 Dave Hodgins 2012-04-01 22:04:55 CEST 
Testing complete on i586 for the srpm
libpng-1.2.49-1.mga1.src.rpm

Testing use xv to view a png file.

CC: (none) => davidwhodgins

David Walser 2012-04-02 18:08:03 CEST

Blocks: (none) => 5046

David Walser 2012-04-03 19:58:45 CEST

Blocks: 5046 => (none)

David Walser 2012-04-03 19:59:10 CEST

Assignee: fundawang => qa-bugs

Comment 3 Dave Hodgins 2012-04-06 05:12:32 CEST 
Ping.  We still need x86-64 testing for this security update.
Comment 4 Derek Jennings 2012-04-06 10:31:08 CEST 
Testing complete on x86_64
Update Validated

Advisory:
========================

Updated libpng packages fix security vulnerability:

libpng versions prior to 1.5.10, 1.4.11, 1.2.49, and 1.0.59
fail to correctly handle malloc() failure for text chunks
(in png_set_text_2()), which can lead to memory corruption and
the possibility of execution of hostile code (CVE-2011-3048).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
http://www.libpng.org/pub/png/libpng.html



Could someone from sysadmin please push libpng-1.2.49-1.mga1.src.rpm  from core/updates_testing to core/updates

Keywords: (none) => validated_update
CC: (none) => derekjenn, sysadmin-bugs

Comment 5 Thomas Backlund 2012-04-08 14:07:27 CEST 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED