A CVE has been assigned for a security issue fixed upstream in 1.7.84: http://openwall.com/lists/oss-security/2015/03/01/1 Assuming older versions are affected, Mageia 4 and Mageia 5 would be affected. Reproducible: Steps to Reproduce:
CC: (none) => fundawang, mageia, thierry.vignaudWhiteboard: (none) => MGA5TOO, MGA4TOO
Update checked into Mageia 4 and Cauldron SVN. Freeze push requested.
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated pngcrush package fixes security vulnerability: pngcrush-1.7.84 fixes defects reported by Coverity-scan, so it should be more resistant to crashes due to malformed input files, such as the one presented in CVE-2015-2158. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2158 http://sourceforge.net/p/pmt/news/2015/02/pngcrush-1784-released/ http://openwall.com/lists/oss-security/2015/03/01/1 ======================== Updated packages in core/updates_testing: ======================== pngcrush-1.7.84-1.mga4 from pngcrush-1.7.84-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Created attachment 6021 [details] PoC concerning pngcrush Testing on Mageia 4x64 real hardware Using PoC mentioned in http://openwall.com/lists/oss-security/2015/02/28/6 (see attachment) From current package : -------------------- pngcrush-1.7.66-2.mga4 Tested 2 commands : # pngcrush -reduce -brute test.png test_reduced.png # pngcrush -rem allb test.png test_rem.png with a test.png Both gave a warning : Warning: versions are different between png.h and png.c png.h version: 1.6.6 png.c version: 1.6.16 But performed well. Tested PoC : # pngcrush -fix -force test203 /dev/null (...) Reading 0000 chunk. width=0 height=0 ticksps=0 nomlayc=0 nomfram=0 nomplay=0 profile=0 While measuring IDATs in test203 pngcrush caught libpng error: Read Error Recompressing test203 Total length of data found in critical chunks = 0 While measuring IDATs in /dev/null pngcrush caught libpng error: Read Error Recompressing /dev/null Total length of data found in critical chunks = 0 CPU time decoding 0.000, encoding 0.000, other 0.000, total 0.000 seconds Could not reproduce the segmentation fault. To updated testing package : -------------------------- pngcrush-1.7.84-1.mga4 # pngcrush -reduce -brute test.png test_reduced.png # pngcrush -rem allb test.png test_rem.png Went well and no more warning about different versions PoC # pngcrush -fix -force test203 /dev/null Reading 0000 chunk. While measuring IDATs in test203 pngcrush caught libpng error: Read Error: invalid length requested Recompressing IDAT chunks in test203 Total length of data found in critical chunks = 0 While measuring IDATs in /dev/null pngcrush caught libpng error: Read Error: invalid length returned Recompressing IDAT chunks in /dev/null Total length of data found in critical chunks = 0 CPU time decoding 0.000, encoding 0.000, other 0.000, total 0.000 sec. No segmentation either. OK
CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK
Thanks for the testcases. I did the same initial 2 tests and got the same performance and reduction % before and after the update. I also did the PoC tests, could not reproduce a segfault, and got the same output before and after the update as Olivier. Marking OK on Mageia 4 i586. It's possible the segfault only happened in some versions between the version we had (1.7.66) and the updated version (1.7.84), but it's good to get the rest of the Coverity-scan fixes for other test cases that we don't have access to.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Advisory uploaded, validating. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0101.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/636269/