A CVE has been assigned for a security issue fixed in libpng 1.6.27 and 1.2.57: http://openwall.com/lists/oss-security/2016/12/30/4 The apng patch hasn't been updated yet; will update these when it's available.
Release announcement for the new versions: https://sourceforge.net/p/png-mng/mailman/message/35575076/
CC'ing all packagers collectively, because the registered maintainer is probably still unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => fundawang
Fedora has issued an advisory for this on January 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BC55T3VKSC3DR5HODWHBEONDHSEXB6C5/
URL: (none) => https://lwn.net/Vulnerabilities/710481/
I'll have a look.
Assignee: fundawang => rverschelde
Submitted versions 1.6.27 and 1.2.57 to 5 core/updates_testing. There was a release for 1.6.28 today, but it still lacks the corresponding version of the apng patch, and based on the changelog it does not seem particularly important to have anyway, so we can skip it: > Changes since the last public release (1.6.27): Fixed arm/aarch64 detection in > CMakeLists.txt (Gianfranco Costamagna). Added option to Cmake build allowing a > custom location of zlib to be specified in a scenario where libpng is being > built as a subproject alongside zlib by another project (Sam Serrels). Changed > png_ptr->options from a png_byte to png_uint_32, to accomodate up to 16 options.
Assignee: rverschelde => qa-bugs
Suggested advisory: =================== Updated libpng and libpng12 packages fix security vulnerability This security update fixes a NULL pointer dereference bug in libpng and libpng12 (CVE-2016-10087). References: - https://sourceforge.net/p/png-mng/mailman/message/35575076/ SRPMs in core/updates_testing: ============================== - libpng-1.6.27-1.mga5 - libpng12-1.2.57-1.mga5 RPMs in core/updates_testing: ============================= lib(64)png16_16-1.6.27-1.mga5 lib(64)png-devel-1.6.27-1.mga5 lib(64)png12_0-1.2.57-1.mga5 lib(64)png12-devel-1.2.57-1.mga5
MGA5-32 on AcerD620 Xfce No installation issues Opened jpg file with GIMP, exported to png, closed GIMP, at CLI: $ strace -o libpng.txt gimp opened png file, closed GIMP and found in trace: open("/lib/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Testing M5_64 Updated to: lib64png12_0-1.2.57-1.mga5 lib64png16_16-1.6.27-1.mga5 lib64png-devel-1.6.27-1.mga5 Trying # urpmq -- whatrequires on all 3 showed nothing. Did you guess Gimp, Herman? I tried ImageMagick: 1. Convert a PNG image to something else: $ strace convert Misc/Supra/stove1.png Misc/Supra/stove1.pcx 2>&1 | grep libpng open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3 The PCX result was fine. 2. Convert something else to PNG: $ strace convert Antrepot/caisse.JPG Antrepot/caisse.png 2>&1 | grep libpng open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3 3. Display, change view size, pan the output PNG image; all fine. $ strace display Antrepot/caisse.png 2>&1 | grep libpng open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3 OK for lib64png16_16 . lib64png-devel-1.6.27-1.mga5 has 'png-fix-itxt' and 'pngfix' binaries, but no Man pages for them. Can we trust to luck for lib64png12_0 ? Or tell me something that uses it. If my result suffices, can somebody else please put up the MGA-64-OK and validate this? I am away for a few days, and will not see the response to my question about lib64png12_0 . I shall do the advisory now so that this is then ready to push.
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
lib64png12_0 on 64-bit Info ---- There is a test Wiki! https://wiki.mageia.org/en/QA_procedure:Libpng To see what uses these libraries: # urpmq --whatrequires-recursive lib64png12_0 lib64png12-devel lib64png12_0 lsb-lib64 mozilla-plugin-aliedit pngtools xv pngtools: Provides a series of handy PNG tools: - pngchunkdesc: decodes the "hidden" information in a PNG chunk name - pngchunks: decodes the constituent parts of a PNG file - pngcp: copies a PNG image while changing the bit depth or samples per pixel - pnginfo: displays interesting information about a PNG file Installed xv, pngtools. From the Wiki: "You can use sam2p (which links against libpng12_0) to convert a png to a PDF" although it is not in the required list above. No man page, use /usr/share/doc/sam2p/README "As of now, this README file is the only, and definitive, documentation of sam2p." BTAIM this did what it says, but converting a large PNG image to PDF showed *no* library call here - in line with the requires list above; so ignore this one for testing this library. ------------------------------------------------ Testing x64 using the updated lib64png12_0-1.2.57-1 pngchunks showed no library call with strace. $ strace pnginfo Misc/Supra/stove1.png 2>&1 | grep libpng open("/lib64/libpng12.so.0", O_RDONLY|O_CLOEXEC) = 3 Without the grep, the O/P looks sensible. $ strace pngcp Misc/Supra/stove1.png ~/tmp/copy1.png 2>&1 | grep libpng open("/lib64/libpng12.so.0", O_RDONLY|O_CLOEXEC) = 3 The output image without any pngcp parameters looks really wierd, but recognisable. I am not putting this down to the update! $ strace xv Antrepot/caisse.png 2>&1 | grep libpng open("/lib64/libpng12.so.0", O_RDONLY|O_CLOEXEC) = 3 The large image displayed fine, and supported various re-sizings. So x64 OKing this at last, validating. Advisory already up there.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory has_procedure MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0020.html
Status: NEW => RESOLVEDResolution: (none) => FIXED