Bug 20048 - libpng, libpng12 new security issue CVE-2016-10087
Summary: libpng, libpng12 new security issue CVE-2016-10087
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/710481/
Whiteboard: MGA5-32-OK advisory has_procedure MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-12-30 22:21 CET by David Walser
Modified: 2017-01-22 18:03 CET (History)
5 users (show)

See Also:
Source RPM: libpng, libpng12
CVE:
Status comment:


Attachments

Description David Walser 2016-12-30 22:21:14 CET
A CVE has been assigned for a security issue fixed in libpng 1.6.27 and 1.2.57:
http://openwall.com/lists/oss-security/2016/12/30/4

The apng patch hasn't been updated yet; will update these when it's available.
Comment 1 David Walser 2016-12-30 22:21:42 CET
Release announcement for the new versions:
https://sourceforge.net/p/png-mng/mailman/message/35575076/
Comment 2 Marja Van Waes 2016-12-31 14:11:19 CET
CC'ing all packagers collectively, because the registered maintainer is probably still unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => fundawang

Comment 3 David Walser 2017-01-03 20:55:35 CET
Fedora has issued an advisory for this on January 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BC55T3VKSC3DR5HODWHBEONDHSEXB6C5/

URL: (none) => https://lwn.net/Vulnerabilities/710481/

Comment 4 Rémi Verschelde 2017-01-05 22:03:11 CET
I'll have a look.

Assignee: fundawang => rverschelde

Comment 5 Rémi Verschelde 2017-01-05 22:15:47 CET
Submitted versions 1.6.27 and 1.2.57 to 5 core/updates_testing.

There was a release for 1.6.28 today, but it still lacks the corresponding version of the apng patch, and based on the changelog it does not seem particularly important to have anyway, so we can skip it:

> Changes since the last public release (1.6.27): Fixed arm/aarch64 detection in
> CMakeLists.txt (Gianfranco Costamagna). Added option to Cmake build allowing a
> custom location of zlib to be specified in a scenario where libpng is being
> built as a subproject alongside zlib by another project (Sam Serrels). Changed
> png_ptr->options from a png_byte to png_uint_32, to accomodate up to 16 options.

Assignee: rverschelde => qa-bugs

Comment 6 Rémi Verschelde 2017-01-05 22:22:53 CET
Suggested advisory:
===================

Updated libpng and libpng12 packages fix security vulnerability

  This security update fixes a NULL pointer dereference bug in libpng and libpng12
  (CVE-2016-10087).

References:
- https://sourceforge.net/p/png-mng/mailman/message/35575076/


SRPMs in core/updates_testing:
==============================

- libpng-1.6.27-1.mga5
- libpng12-1.2.57-1.mga5


RPMs in core/updates_testing:
=============================

lib(64)png16_16-1.6.27-1.mga5
lib(64)png-devel-1.6.27-1.mga5
lib(64)png12_0-1.2.57-1.mga5
lib(64)png12-devel-1.2.57-1.mga5
Comment 7 Herman Viaene 2017-01-13 11:31:07 CET
MGA5-32 on AcerD620 Xfce
No installation issues
Opened jpg file with GIMP, exported to png, closed GIMP, at CLI:
$ strace -o libpng.txt gimp
opened png file, closed GIMP and found in trace:
open("/lib/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 8 Lewis Smith 2017-01-14 22:08:58 CET
Testing M5_64

Updated to:
 lib64png12_0-1.2.57-1.mga5
 lib64png16_16-1.6.27-1.mga5
 lib64png-devel-1.6.27-1.mga5
Trying # urpmq -- whatrequires on all 3 showed nothing. Did you guess Gimp, Herman?
I tried ImageMagick:

1. Convert a PNG image to something else:
 $ strace convert Misc/Supra/stove1.png Misc/Supra/stove1.pcx 2>&1 | grep libpng
 open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3
The PCX result was fine.

2. Convert something else to PNG:
 $ strace convert Antrepot/caisse.JPG Antrepot/caisse.png 2>&1 | grep libpng
 open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3

3. Display, change view size, pan the output PNG image; all fine.
 $ strace display Antrepot/caisse.png 2>&1 | grep libpng
 open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3

OK for lib64png16_16 .
lib64png-devel-1.6.27-1.mga5 has 'png-fix-itxt' and 'pngfix' binaries, but no Man pages for them. Can we trust to luck for lib64png12_0 ? Or tell me something that uses it.
If my result suffices, can somebody else please put up the MGA-64-OK and validate this? I am away for a few days, and will not see the response to my question about lib64png12_0 .
I shall do the advisory now so that this is then ready to push.

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 9 Lewis Smith 2017-01-20 21:43:12 CET
lib64png12_0 on 64-bit
Info
----
There is a test Wiki! https://wiki.mageia.org/en/QA_procedure:Libpng
To see what uses these libraries:
  # urpmq --whatrequires-recursive lib64png12_0
 lib64png12-devel
 lib64png12_0
 lsb-lib64
 mozilla-plugin-aliedit
 pngtools
 xv
pngtools: Provides a series of handy PNG tools:
- pngchunkdesc: decodes the "hidden" information in a PNG chunk name
- pngchunks: decodes the constituent parts of a PNG file
- pngcp: copies a PNG image while changing the bit depth or samples per pixel
- pnginfo: displays interesting information about a PNG file
Installed xv, pngtools.
From the Wiki: "You can use sam2p (which links against libpng12_0) to convert a png to a PDF" although it is not in the required list above. No man page, use /usr/share/doc/sam2p/README "As of now, this README file is the only, and definitive, documentation of sam2p." BTAIM this did what it says, but converting a large PNG image to PDF showed *no* library call here - in line with the requires list above; so ignore this one for testing this library.
------------------------------------------------
Testing x64 using the updated lib64png12_0-1.2.57-1

pngchunks showed no library call with strace.

 $ strace pnginfo Misc/Supra/stove1.png  2>&1 | grep libpng
 open("/lib64/libpng12.so.0", O_RDONLY|O_CLOEXEC) = 3
Without the grep, the O/P looks sensible.

 $ strace pngcp Misc/Supra/stove1.png ~/tmp/copy1.png 2>&1 | grep libpng
 open("/lib64/libpng12.so.0", O_RDONLY|O_CLOEXEC) = 3
The output image without any pngcp parameters looks really wierd, but recognisable. I am not putting this down to the update!

 $ strace xv Antrepot/caisse.png 2>&1 | grep libpng
 open("/lib64/libpng12.so.0", O_RDONLY|O_CLOEXEC) = 3
The large image displayed fine, and supported various re-sizings.

So x64 OKing this at last, validating. Advisory already up there.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory has_procedure MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-01-22 18:03:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0020.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.