Still need to check the changelogs and write an advisory, but there are various security-relevant points in libpng updates between our current 1.6.29 and the upstream 1.6.34. RPMs in core/updates_testing: ============================= libpng16_16-1.6.34-1.mga6 libpng-devel-1.6.34-1.mga6 SRPM in core/updates_testing: ============================= libpng-1.6.34-1.mga6
Actually not a security update, there was a security fix in 1.6.32 but for a bug introduced in 1.6.31, so our 1.6.29 was not affected. Still, keeping this as a bugfix update.
QA Contact: security => (none)Summary: libpng new security issues => libpng 1.6.34 bugfix updateComponent: Security => RPM Packages
Mageia 6 for x86_64 Used mana update for this and selected lib64png16_16, which pulled in the development package. Lots of things use this including firefox, which I restarted. $ urpmq --whatrequires lib64png16_16 | sort -u | wc -l 432 vlc for a start, probably for the interface icons. $ strace vlc HowToBarterOnline_FrenchMaidTV.m4v 2> trace $ cat trace | grep png stat("/usr/lib64/vlc/plugins/codec/libpng_plugin.so", {st_mode=S_IFREG|0755, st_size=15528, ...}) = 0 open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3 emacs. emacs is my preferred editor and is being used to prepare this report. Used eom to display an image directory. $ cat trace | grep png open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libpng16.so.16.34.0", O_RDONLY) = 3 open("/usr/share/eom/pixmaps/thumbnail-frame.png", O_RDONLY) = 12 stat("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", {st_mode=S_IFREG|0755, st_size=24368, ...}) = 0 open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", O_RDONLY|O_CLOEXEC) = 14 open("/usr/share/icons/mate/24x24/actions/go-previous.png", O_RDONLY) = 14 virtualbox needs it, imagemagick, graphicksmagic, blender and a number of games. These tests should be enough to show that it works fine.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
Mageia 6 for i586 in virtualbox Updated libpng and used a few dependent applications to test it. Used imagemagick to convert a set of JPEGS to PNG format. $ convert TheUninvited_*.jpg png:TheUninvited $ file * | grep PNG TheUninvited-0: PNG image data, 600 x 402, 8-bit/color RGB, non-interlaced ................... $ strace eom TheUninvited-2 2> trace $ cat trace | grep png open("/lib/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3 read(8, "png\");\n}\n\nscale.horizontal.marks"..., 8192) = 8192 open("/usr/share/eom/pixmaps/thumbnail-frame.png", O_RDONLY|O_LARGEFILE) = 12 Ran vlc without problems. Verified that the ImageMagick jpg -> png conversions involved libpng16. Good for 32 bits.
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Thanks Len for both tests. Advisory made from comments 1-2. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2017-0104.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update fixed CVE-2017-12652: https://access.redhat.com/errata/RHSA-2020:3901