A security issue fixed upstream in libpng was announced on November 12: http://openwall.com/lists/oss-security/2015/11/12/2 It was assigned CVE-2015-8126: http://openwall.com/lists/oss-security/2015/11/13/1 Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libpng and libpng12 packages fix security vulnerability: Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions in libpng before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image (CVE-2015-8126). This issue also affected libpng 1.2 before 1.2.54. The libpng and libpng12 packages have been updated to versions 1.6.19 and 1.2.54, respectively, fixing this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126 http://openwall.com/lists/oss-security/2015/11/13/1 ======================== Updated packages in core/updates_testing: ======================== libpng12_0-1.2.54-1.mga5 libpng12-devel-1.2.54-1.mga5 libpng16_16-1.6.19-1.mga5 libpng-devel-1.6.19-1.mga5 from SRPMS: libpng12-1.2.54-1.mga5.src.rpm libpng-1.6.19-1.mga5.src.rpm Reproducible: Steps to Reproduce:
xv (in nonfree) and Firefox use libpng12 and libpng, respectively, to display PNG images.
Whiteboard: (none) => has_procedure
[brian@localhost ~]$ uname -a Linux localhost 4.1.13-desktop586-2.mga5 #1 SMP Wed Nov 11 00:50:24 UTC 2015 i686 i686 i686 GNU/Linux Installed package . libpng12_0-1.2.54-1.mga5 Tested xv. Loaded png, modified and saved to a new png. No problems to report.
CC: (none) => brtians1
In VirtualBox, M5, KDE, 32-bit Package(s) under test: libpng16_16 default install of libpng16_16 [root@localhost wilcal]# urpmi libpng16_16 Package libpng16_16-1.6.17-1.mga5.i586 is already installed Using Gimp I can open a png file, add elements to the image, flip the image horizontally, resize the image, crop the image to a different size then output it with a compression level of 5 the image as a png file. That image can then be opened and viewed with Gwenview. install libpng16_16 from updates_testing [root@localhost wilcal]# urpmi libpng16_16 Package libpng16_16-1.6.19-1.mga5.i586 is already installed Using Gimp I can open a different png file, add elements to the image, flip the image vertically, resize the image, crop the image to a different size then output it with a compression level of 5 the image as a png file. That image can then be opened and viewed with Gwenview. The previously created png file can be opened, modified and changed with gimp.
CC: (none) => wilcal.intWhiteboard: has_procedure => has_procedure MGA5-32-OK
Whiteboard: has_procedure MGA5-32-OK => has_procedure
In VirtualBox, M5, KDE, 32-bit Package(s) under test: libpng12_0 install libpng12_0 from updates testing [root@localhost wilcal]# urpmi xv Package xv-3.10a-15.mga5.nonfree.i586 is already installed [root@localhost wilcal]# urpmi libpng12_0 Package libpng12_0-1.2.54-1.mga5.i586 is already installed [wilcal@localhost Pictures]$ xv created_image.png Opens a window on the desktop and displays created_image.png.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: libpng12_0 libpng16_16 install libpng12_0 & libpng16_16 from updates testing [root@localhost wilcal]# urpmi xv Package xv-3.10a-15.mga5.nonfree.x86_64 is already installed [root@localhost wilcal]# urpmi libpng12_0 Package libpng12_0-1.2.52-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libpng16_16 Package libpng16_16-1.6.17-1.mga5.i586 is already installed Using Gimp I can open a png file, add elements to the image, flip the image horizontally, resize the image, crop the image to a different size then output it with a compression level of 5 the image as a png file. That image can then be opened and viewed with Gwenview. [wilcal@localhost Pictures]$ xv created_image.png Opens a window on the desktop and displays created_image.png. install libpng12_0 & libpng16_16 from updates_testing [root@localhost wilcal]# urpmi xv Package xv-3.10a-15.mga5.nonfree.x86_64 is already installed [root@localhost wilcal]# urpmi libpng12_0 Package libpng12_0-1.2.54-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libpng16_16 Package libpng16_16-1.6.19-1.mga5.i586 is already installed Using Gimp I can open different png file, add elements to the image, flip the image vertically, resize the image, crop the image to a different size then output it with a compression level of 5 the image as a png file. That image can then be opened and viewed with Gwenview. Previously created png file can be opened in Gimp. [wilcal@localhost Pictures]$ xv created_image.png Opens a window on the desktop and displays created_image.png. [wilcal@localhost Pictures]$ xv created_image1.png Opens a window on the desktop and displays created_image1.png.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/664752/
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0451.html
Status: NEW => RESOLVEDResolution: (none) => FIXED