Ubuntu has issued an advisory on July 11:
The Ubuntu CVE page has a link to the upstream commit that fixed it:
According to their comments there, the issue was introduced some time after 1.6.20, so Mageia 5 and Mageia 6 may or may not be affected.
Assigning to the registered maintainer.
According to the RedHat bug, older libpng branches are also affected:
libpng new security issue CVE-2018-13785 =>
libpng, libpng12 new security issue CVE-2018-13785
Fixed in Cauldron as David Geiger updated to 1.6.35 a month ago. I'll do the update for Mageia 6.
Ah I missed that libpng12 may be affected too.
Fixed in Cauldron with libpng-1.6.35-1.mga7 and libpng12-1.2.59-1.mga7.
Pushing same packages for Mageia 6.
Updated libpng and libpng12 packages fix security vulnerability
In libpng until version 1.6.35, a wrong calculation of row_factor in the
png_check_chunk_length function (pngrutil.c) may trigger an integer
overflow and resultant divide-by-zero while processing a crafted PNG file,
leading to a denial of service. (CVE-2018-13785)
This update fixes it, also providing the current maintenance releases in the
1.2 and 1.6 stable branches.
SRPMs in core/updates_testing:
RPMs in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 20048 for tests:
Opened jpg file with GIMP, exported to png, closed GIMP and viewed png file witg eom: OK
Installed xv and pngtools as testing tools.
$ convert 34815267.png 34815267.pcx
Opened pcx file with LibreOffice Draw: looks OK.
$ convert dsc00107.jpg dsc00107.png
Opened png file with eom: OK.
$ pnginfo dsc00107.png
Image Width: 3072 Image Length: 2304
Bitdepth (Bits/Sample): 8
Channels (Samples/Pixel): 3
Pixel depth (Pixel Depth): 24
Colour Type (Photometric Interpretation): RGB
Image filter: Single row per byte filter
Interlacing: No interlacing
Compression Scheme: Deflate method 8, 32k window
Resolution: 2834, 2834 (pixels per meter)
Byte Order: Network (Big Endian)
Number of text strings: 0 of 0
$ pngcp dsc00107.png ~/tmp/copy1.png
Copy looks OK in eom
$ xv dsc00107.png
The large image displayed fine, and supported various re-sizings.
Good to go.
Both arches are installed on my 64-bit Plasma system. I am assuming the 32-bit packages are installed due to the presence of an old 32-bit Google Earth, even though it is not on either list that "urpmq --whatrequires" produces.
Packages installed cleanly. Used The Gimp to view some png images that I had saved several years ago. All looked good. Same with several images in Libreoffice Draw.
Looks good for 64-bit, too. Validating. Advisory in Comment 5.
An update for this issue has been pushed to the Mageia Updates repository.