A CVE was assigned for an out-of-bounds read issue fixed upstream in libpng12: http://openwall.com/lists/oss-security/2015/10/26/3 Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libpng12 packages fix security vulnerability: An out-of-bounds read in png_convert_to_rfc1123() in png.c in libpng 1.2.x before 1.2.54 could potentially be exploited by a crafted PNG file to leak information from an application's memory (CVE-2015-7981). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7981 http://openwall.com/lists/oss-security/2015/10/26/3 ======================== Updated packages in core/updates_testing: ======================== libpng12_0-1.2.52-1.1.mga5 libpng12-devel-1.2.52-1.1.mga5 from libpng12-1.2.52-1.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Installed libpng12_0-1.2.52.1.1.mga5 (i586). Installs fine. Not finding any applications that still use that version. Let me know if someone has one. Brian
CC: (none) => brtians1
According to urpmq --whatrequires libpng12_0, pngtools and xv still use it.
I'll see about trying out one of those tonight. And thanks for the command.
Installed xv and it picked up the libpng12 library. Exported image to png, edited it with xv and saved it out. No issues. Linux localhost 4.1.8-desktop-1.mga5 #1 SMP Sun Sep 20 12:33:42 UTC 2015 i686 i686 i686 GNU/Linux [root@localhost brian]# urpmi libpng12_0 Package libpng12_0-1.2.52-1.1.mga5.i586 is already installed
Whiteboard: (none) => MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
Installed on 64 bit VM. Worked fine there. Brian
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0417.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/662790/