openSUSE has issued an advisory on February 21: https://lists.opensuse.org/opensuse-updates/2018-02/msg00088.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Patch available from openSUSE
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Someone who knows C better than I will need to evaluate this. The openSUSE patch has: --- xv-3.10a/xvpng.c 2017-06-08 14:45:30.462632457 -0500 +++ xvt/xvpng.c 2017-06-08 15:13:32.422848106 -0500 @@ -1149,7 +1149,7 @@ int LoadPNG(fname, pinfo) for (i = 0; i < _num_text; i++) commentsize += strlen(_text[i].key) + 1 + - _text[i].text_length + 2; + strlen(_text[i].text) + 2; if ((pinfo->comment = malloc(commentsize)) == NULL) { png_warning(png_ptr,"can't allocate comment string"); The code has: for(i = 0; i < info_ptr->num_text; i++) commentsize += strlen(info_ptr->text[i].key) + 1 + info_ptr->text[i].text_length + 2; if((pinfo->comment = malloc(commentsize)) == NULL) { png_warning(png_ptr,"can't allocate comment string"); I can't tell whether the patch is not valid for this version, is already applied, needs to be rediffed, or is simply not needed.
CC: (none) => mrambo
The change from the patch needs to be applied. It should use strlen(info_ptr->text[i].text) instead of info_ptr->text[i].text_length
Patched package built for cauldron and Mageia 6. Advisory: ======================== Updated xv package fixes DoS security vulnerability: It was discovered that png images created in gimp would crash xv. References: https://lists.opensuse.org/opensuse-updates/2018-02/msg00088.html ======================== Updated packages in core/updates_testing: ======================== xv-3.10a-16.1.mga6 from xv-3.10a-16.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugs
Testing complete mga6 64 Didn't find a PoC image so created a simple png image in gimp. Saw no evidence of DoS but no regression when updated either. $ xv Gimp-PNG.png
Whiteboard: (none) => mga6-64-okKeywords: (none) => has_procedure
Advisory uploaded. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0157.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED