Bug 6765

Summary: remove package in Update testing: libpng[,12]
Product: Mageia Reporter: Funda Wang <fundawang>
Component: RPM PackagesAssignee: Sysadmin Team <sysadmin-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, pmdenielou, qa-bugs, stblack, tmb
Version: 2   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386
Whiteboard: MGA1TOO, MGA2-64-OK
Source RPM: libpng-1.5.12-1.mga2, libpng12-1.2.50-1.mga2, libpng-1.2.50-1.mga1 CVE:
Status comment:

Description Funda Wang 2012-07-12 12:57:23 CEST 
Various versions of libpng through 1.5.11, 1.4.11, 1.2.49, and 1.0.59, respectively, set the top-level archive-extraction directory's permissions to be world-writable as part of the distcheck Makefile target's operations (configure-generated Makefile only). This could allow a local attacker on the build host to silently replace the extracted libpng library with a malicious version, conceivably poisoning an official binary distribution of libpng (though the likelihood of this is remote). This vulnerability has been assigned ID CVE-2012-3386 and is fixed in version 1.5.12 (and versions 1.4.12, 1.2.50, and 1.0.60, respectively, on the older branches), released 10 July 2012.

The packages in Mageia 1, Mageia 2 has been updated to fix above problem.

Mageia 1: libpng-1.2.50-1.mga1
Mageia 2: libpng-1.5.12-1.mga2, libpng12-1.2.50-1.mga2
Funda Wang 2012-07-12 12:57:58 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 David Walser 2012-07-12 14:17:01 CEST 
I'm all for doing security updates obviously, but is this update really needed?

CVE-2012-3386 doesn't affect users of libpng, only people building it, and it actually affects almost every package in the distribution (and we're obviously not issuing updates for everything).  Also, if we issue the update for automake (Bug 6749), anyone that wants to build libpng or anything else locally can avoid the vulnerability by regenerating Makefile.in with automake.

CC: (none) => luigiwalser

Comment 2 claire robinson 2012-07-12 18:10:36 CEST 
# urpmq -a lib64png
lib64png-devel
lib64png12-devel
lib64png12_0
lib64png15_15
lib64pnglite-devel
lib64pnglite0

Which of these have been updated please?
Comment 3 claire robinson 2012-07-12 18:20:58 CEST 
looking at the changelog ML I think it's all of them apart from the pnglite ones

libpng and libpng12 appear to have been updated.

# urpmf --sourcerpm --media Release libpng
lib64png-devel:libpng-1.5.10-1.mga2.src.rpm
lib64png15_15:libpng-1.5.10-1.mga2.src.rpm
lib64png12_0:libpng12-1.2.49-1.mga2.src.rpm
lib64png12-devel:libpng12-1.2.49-1.mga2.src.rpm
libpng-debug:libpng-1.5.10-1.mga2.src.rpm
libpng12-debug:libpng12-1.2.49-1.mga2.src.rpm
libpnglite0:pnglite-0.1.17-2.mga2.src.rpm
libpnglite-devel:pnglite-0.1.17-2.mga2.src.rpm
libpng-devel:libpng-1.5.10-1.mga2.src.rpm
libpng15_15:libpng-1.5.10-1.mga2.src.rpm
libpng12-devel:libpng12-1.2.49-1.mga2.src.rpm
libpng12_0:libpng12-1.2.49-1.mga2.src.rpm
libpng-debug:libpng-1.5.10-1.mga2.src.rpm
libpng12-debug:libpng12-1.2.49-1.mga2.src.rpm
Comment 4 Stefano Negro 2012-07-12 19:40:55 CEST 
tested lib64png12 with xv(open image) and lib64png15 with qrencoder(produce che qr code in png).
Test ok.

Stblack

CC: (none) => stblack
Whiteboard: MGA1TOO => MGA1TOO, MGA2-64-OK

Comment 5 Malo DeniƩlou 2012-07-13 14:31:33 CEST 
I agree with David here. This security problem does not affect Mageia. No update needed.

CC: (none) => malo

Comment 6 claire robinson 2012-07-13 14:50:08 CEST 
Thankyou both.

Assigning Funda, could you please remove the updates from Testing if you agree and close the bug.

Thanks.

CC: (none) => qa-bugs
Assignee: qa-bugs => fundawang

Comment 7 Manuel Hiebel 2012-09-25 23:17:39 CEST 
(In reply to comment #6)
> Thankyou both.
> 
> Assigning Funda, could you please remove the updates from Testing if you agree
> and close the bug.
> 
> Thanks.

reassign to sysadmin then

(In reply to comment #0)
> Mageia 1: libpng-1.2.50-1.mga1
> Mageia 2: libpng-1.5.12-1.mga2, libpng12-1.2.50-1.mga2

Component: Security => RPM Packages
Assignee: fundawang => sysadmin-bugs
Summary: [Update Request] Update libpng[,12] to fix CVE-2012-3386 => remove package in Update testing: libpng[,12]

Comment 8 Thomas Backlund 2012-10-20 18:47:30 CEST 
Removed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED