Bug 13001 - libpng new security issue CVE-2014-0333
: libpng new security issue CVE-2014-0333
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590376/
: MGA4-32-OK MGA4-64-OK advisory
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-12 16:28 CET by David Walser
Modified: 2014-03-15 17:36 CET (History)
4 users (show)

See Also:
Source RPM: libpng-1.6.8-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-03-12 16:28:17 CET
OpenSuSE has issued an advisory today (March 12):
http://lists.opensuse.org/opensuse-updates/2014-03/msg00029.html

Only libpng 1.6.x is affected, so Mageia 3 is not affected.

Patched packages uploaded for Mageia 4 and Cauldron.

Note to QA: there is information about reproducing the issue on the SuSE bug:
https://bugzilla.novell.com/show_bug.cgi?id=866298

Advisory:
========================

Updated libpng packages fix security vulnerability:

The png_push_read_chunk function in pngpread.c in the progressive decoder in
libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of
service (infinite loop and CPU consumption) via an IDAT chunk with a length of
zero (CVE-2014-0333).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0333
http://lists.opensuse.org/opensuse-updates/2014-03/msg00029.html
========================

Updated packages in core/updates_testing:
========================
libpng16_16-1.6.8-1.1.mga4
libpng-devel-1.6.8-1.1.mga4

from libpng-1.6.8-1.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Marc Lattemann 2014-03-12 23:56:11 CET
thanks for the link, David.

bug could be reproduced after following https://bugzilla.novell.com/show_bug.cgi?id=866298#c8 (see also attachment at that bug-report)

prior update:
[marc@localhost Downloads]$ gcc -D LIBPNG16 -o progrpng progrpng.c -lpng16
[marc@localhost Downloads]# ./progrpng bug-866298_zero-idat.png 
Reading PNG File bug-866298_zero-idat.png
^C
[marc@localhost Downloads]$
leads to 100%CPU 

after update:
[marc@localhost Downloads]$ gcc -D LIBPNG16 -o progrpng progrpng.c -lpng16
[marc@localhost Downloads]$ ./progrpng bug-866298_zero-idat.png 
Reading PNG File bug-866298_zero-idat.png
libpng warning: IDAT: CRC error
error: Not enough compressed data
[marc@localhost Downloads]$

tested successfully for mga4 32bit
Comment 2 Marc Lattemann 2014-03-13 00:06:07 CET
tested successfully for mga4 64bit as well.

After Advisory from Comment #0 is uploaded, it could be validated and pushed to core_updates.

Thanks
Comment 3 Dave Hodgins 2014-03-13 21:01:08 CET
Advisory added to svn. Validating the update.

Someone from the sysadmin team please push 13001.adv to updates.
Comment 4 Thomas Backlund 2014-03-15 17:36:23 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0131.html

Note You need to log in before you can comment on or make changes to this bug.