Bug 15393 - pngcrush new security issue CVE-2015-2158
Summary: pngcrush new security issue CVE-2015-2158
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/636269/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-02 00:34 CET by David Walser
Modified: 2015-03-11 19:19 CET (History)
6 users (show)

See Also:
Source RPM: pngcrush-1.7.73-3.mga5.src.rpm
CVE:
Status comment:


Attachments
PoC concerning pngcrush (41 bytes, application/gzip)
2015-03-09 21:47 CET, olivier charles
Details

Description David Walser 2015-03-02 00:34:43 CET
A CVE has been assigned for a security issue fixed upstream in 1.7.84:
http://openwall.com/lists/oss-security/2015/03/01/1

Assuming older versions are affected, Mageia 4 and Mageia 5 would be affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-02 00:35:09 CET

CC: (none) => fundawang, mageia, thierry.vignaud
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-03-08 17:30:23 CET
Update checked into Mageia 4 and Cauldron SVN.  Freeze push requested.
Comment 2 David Walser 2015-03-08 21:30:12 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated pngcrush package fixes security vulnerability:

pngcrush-1.7.84 fixes defects reported by Coverity-scan, so it should be more
resistant to crashes due to malformed input files, such as the one presented
in CVE-2015-2158.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2158
http://sourceforge.net/p/pmt/news/2015/02/pngcrush-1784-released/
http://openwall.com/lists/oss-security/2015/03/01/1
========================

Updated packages in core/updates_testing:
========================
pngcrush-1.7.84-1.mga4

from pngcrush-1.7.84-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 olivier charles 2015-03-09 21:47:39 CET
Created attachment 6021 [details]
PoC concerning pngcrush


Testing on Mageia 4x64 real hardware

Using PoC mentioned in http://openwall.com/lists/oss-security/2015/02/28/6
(see attachment)

From current package :
--------------------
pngcrush-1.7.66-2.mga4

Tested 2 commands : 

# pngcrush -reduce -brute test.png test_reduced.png
# pngcrush -rem allb test.png test_rem.png
with a test.png

Both gave a warning :
Warning: versions are different between png.h and png.c
  png.h version: 1.6.6
  png.c version: 1.6.16
But performed well.

Tested PoC :
# pngcrush -fix -force test203 /dev/null
(...)
Reading 0000 chunk.
  width=0
  height=0
  ticksps=0
  nomlayc=0
  nomfram=0
  nomplay=0
  profile=0

While measuring IDATs in test203 pngcrush caught libpng error:
   Read Error

   Recompressing test203
   Total length of data found in critical chunks =        0

While measuring IDATs in /dev/null pngcrush caught libpng error:
   Read Error

   Recompressing /dev/null
   Total length of data found in critical chunks =        0
   CPU time decoding 0.000, encoding 0.000, other 0.000, total 0.000 seconds

Could not reproduce the segmentation fault.

To updated testing package :
--------------------------
pngcrush-1.7.84-1.mga4
# pngcrush -reduce -brute test.png test_reduced.png
# pngcrush -rem allb test.png test_rem.png

Went well and no more warning about different versions

PoC
# pngcrush -fix -force test203 /dev/null
Reading 0000 chunk.

While measuring IDATs in test203 pngcrush caught libpng error:
   Read Error: invalid length requested

   Recompressing IDAT chunks in test203
   Total length of data found in critical chunks            =         0

While measuring IDATs in /dev/null pngcrush caught libpng error:
   Read Error: invalid length returned

   Recompressing IDAT chunks in /dev/null
   Total length of data found in critical chunks            =         0
   CPU time decoding 0.000, encoding 0.000, other 0.000, total 0.000 sec.

No segmentation either.

OK

CC: (none) => olchal

olivier charles 2015-03-09 21:48:06 CET

Whiteboard: (none) => MGA4-64-OK

Comment 4 David Walser 2015-03-09 23:54:29 CET
Thanks for the testcases.  I did the same initial 2 tests and got the same performance and reduction % before and after the update.  I also did the PoC tests, could not reproduce a segfault, and got the same output before and after the update as Olivier.  Marking OK on Mageia 4 i586.

It's possible the segfault only happened in some versions between the version we had (1.7.66) and the updated version (1.7.84), but it's good to get the rest of the Coverity-scan fixes for other test cases that we don't have access to.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 5 Rémi Verschelde 2015-03-10 10:14:25 CET
Advisory uploaded, validating. Please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2015-03-10 17:49:02 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0101.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-03-11 19:19:19 CET

URL: (none) => http://lwn.net/Vulnerabilities/636269/


Note You need to log in before you can comment on or make changes to this bug.