Bug 13185 - libpng (1.2.x, 1.5.x) new security issues CVE-2013-7353 and CVE-2013-7354
Summary: libpng (1.2.x, 1.5.x) new security issues CVE-2013-7353 and CVE-2013-7354
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/597180/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-10 16:49 CEST by David Walser
Modified: 2014-05-10 21:53 CEST (History)
3 users (show)

See Also:
Source RPM: libpng-1.5.13-2.1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-10 16:49:04 CEST
Two security issues fixed last year in libpng 1.5.14 have received CVEs:
http://openwall.com/lists/oss-security/2014/04/10/10

It sounds like they are very minor issues, so an update at this time is probably not necessary.  No patches are linked, but as libpng15 is at 1.5.18 now and 1.5.19 is in beta, the next time we ship an update for this package, we should just update it to the newest version (we currently have 1.5.13).  Only libpng (1.5) in Mageia 3 is affected, as the issue was fixed in 1.6.0.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-05-02 18:13:19 CEST
Apparently libpng 1.2.x is also affected.

OpenSuSE has issued an advisory for this today (May 2):
http://lists.opensuse.org/opensuse-updates/2014-05/msg00015.html

URL: (none) => http://lwn.net/Vulnerabilities/597180/
Summary: libpng (1.5.x) new security issues CVE-2013-7353 and CVE-2013-7354 => libpng (1.2.x, 1.5.x) new security issues CVE-2013-7353 and CVE-2013-7354

Comment 2 David Walser 2014-05-07 21:23:59 CEST
Another OpenSuSE advisory for 1.2.x from today (May 7):
http://lists.opensuse.org/opensuse-updates/2014-05/msg00026.html

And one for 1.5.x:
http://lists.opensuse.org/opensuse-updates/2014-05/msg00024.html
Comment 3 Oden Eriksson 2014-05-08 11:06:27 CEST
fixed with libpng12-1.2.50-3.2.mga3, libpng12-1.2.50-4.2.mga4 & libpng12-1.2.51-2.mga5.

fixed with libpng-1.5.13-2.2.mga3.

CC: (none) => oe

Comment 4 David Walser 2014-05-08 14:48:49 CEST
Thanks Oden!

Advisory (Mageia 3):
========================

Updated libpng12 and libpng packages fix security vulnerabilities:

An integer overflow leading to a heap-based buffer overflow was found in the
png_set_sPLT() and png_set_text_2() API functions of libpng. A attacker could
create a specially-crafted image file and render it with an application
written to explicitly call png_set_sPLT() or png_set_text_2() function, could
cause libpng to crash or execute arbitrary code with the permissions of the
user running such an application (CVE-2013-7353).

An integer overflow leading to a heap-based buffer overflow was found in the
png_set_unknown_chunks() API function of libpng. A attacker could create a
specially-crafted image file and render it with an application written to
explicitly call png_set_unknown_chunks() function, could cause libpng to
crash or execute arbitrary code with the permissions of the user running such
an application (CVE-2013-7354).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7354
http://lists.opensuse.org/opensuse-updates/2014-05/msg00026.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00024.html
========================

Updated packages in core/updates_testing:
========================
libpng12_0-1.2.50-3.2.mga3
libpng12-devel-1.2.50-3.2.mga3
libpng15_15-1.5.13-2.2.mga3
libpng-devel-1.5.13-2.2.mga3

from SRPMS:
libpng12-1.2.50-3.2.mga3.src.rpm
libpng-1.5.13-2.2.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated libpng12 packages fix security vulnerabilities:

An integer overflow leading to a heap-based buffer overflow was found in the
png_set_sPLT() and png_set_text_2() API functions of libpng. A attacker could
create a specially-crafted image file and render it with an application
written to explicitly call png_set_sPLT() or png_set_text_2() function, could
cause libpng to crash or execute arbitrary code with the permissions of the
user running such an application (CVE-2013-7353).

An integer overflow leading to a heap-based buffer overflow was found in the
png_set_unknown_chunks() API function of libpng. A attacker could create a
specially-crafted image file and render it with an application written to
explicitly call png_set_unknown_chunks() function, could cause libpng to
crash or execute arbitrary code with the permissions of the user running such
an application (CVE-2013-7354).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7354
http://lists.opensuse.org/opensuse-updates/2014-05/msg00026.html
========================

Updated packages in core/updates_testing:
========================
libpng12_0-1.2.50-4.2.mga4
libpng12-devel-1.2.50-4.2.mga4

from libpng12-1.2.50-4.2.mga4.src.rpm

Version: 3 => 4
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA3TOO

Comment 5 claire robinson 2014-05-08 14:52:44 CEST
Easy one to test: https://bugs.mageia.org/show_bug.cgi?id=12747#c1

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 6 claire robinson 2014-05-10 09:28:53 CEST
Testing complete mga3 32 & 64 and mga4 32 & 64


Testing mga4 - display png images in xv (ie. xv filename.png)

Testing mga3 -
libpng15_15 - display png images using imagemagick (ie. 'display filename.png')
libpng12_0 - display images using xv (ie. xv filename.png)

Both can be found by using urpmq --whatrequires lib(64)12_0 or 15_15 to show packages which use the libraries.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2014-05-10 09:36:38 CEST
Validating. Separate advisories uploaded for mga3 and mga4.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-05-10 21:53:13 CEST
Mga3 update pushed:
http://advisories.mageia.org/MGASA-2014-0210.html

Mga4 update pushed:
http://advisories.mageia.org/MGASA-2014-0211.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.