A CVE has been assigned for a security issue fixed upstream in 1.6.16: http://openwall.com/lists/oss-security/2015/01/04/3 Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated libpng packages fix security vulnerability: libpng versions 1.6.9 through 1.6.15 have an integer-overflow vulnerability in png_combine_row() when decoding very wide interlaced images, which can allow an attacker to overwrite an arbitrary amount of memory with arbitrary (attacker-controlled) data (CVE-2014-9495). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9495 http://www.libpng.org/pub/png/libpng.html ======================== Updated packages in core/updates_testing: ======================== libpng16_16-1.6.16-1.mga4 libpng-devel-1.6.16-1.mga4 from libpng-1.6.16-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Severity: normal => major
MGA4-64 on HP Probook 6555b KDE No installation issues. Checked : gimp shows to be dependent. Opened png file in Gimp, rotated it and exported again: all OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
MGA4-32 on AcerD620 Xfce.No installation issues. Checked : gimp shows to be dependent. Opened png file in Gimp, rotated it and exported again: all OK.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0008.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/628701/
This update also fixed CVE-2015-0973. See this for more info: http://openwall.com/lists/oss-security/2015/01/10/3
LWN reference for CVE-2015-0973: http://lwn.net/Vulnerabilities/630071/