Bug 24101 - libpgf missing update for security issue CVE-2015-6673
Summary: libpgf missing update for security issue CVE-2015-6673
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-31 20:20 CET by David Walser
Modified: 2019-01-05 19:32 CET (History)
2 users (show)

See Also:
Source RPM: libpgf-6.12.24-7.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-12-31 20:20:56 CET 
I don't know how we missed this, but better late than never.

Advisory:
========================

Updated libpgf packages fix security vulnerability:

Use-after-free vulnerability in Decoder.cpp in libpgf before 6.15.32
(CVE-2015-6673).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6673
https://www.openwall.com/lists/oss-security/2015/08/25/9
========================

Updated packages in core/updates_testing:
========================
libpgf6-6.12.24-7.1.mga6
libpgf-doc-6.12.24-7.1.mga6
libpgf-devel-6.12.24-7.1.mga6

from libpgf-6.12.24-7.1.mga6.src.rpm
Comment 1 Lewis Smith 2018-12-31 21:58:23 CET 
This is weird.
 $ urpmq -i lib64pgf6
Name        : lib64pgf6
Summary     : PGF (Progressive Graphics File) library
Description :
libPGF contains an implementation of the Progressive Graphics File (PGF)
which is a new image file format, that is based on a discrete, fast
wavelet transform with progressive coding features. PGF can be used
for lossless and lossy compression.
This package provides the runtime library.

 $ urpmq --whatrequires lib64pgf6
 $ urpmq --whatrequires-recursive lib64pgf6
come up with nothing but itself.
 $ urpmq -l lib64pgf6 | sort -u
 /usr/lib64/libpgf.so.6
 /usr/lib64/libpgf.so.6.0.7
So just a library, with no associated user program.

The best CVE reference is:
 https://bugzilla.redhat.com/show_bug.cgi?id=1251749
which has a test file https://bugzilla.redhat.com/attachment.cgi?id=1060748
but it gets heavy:
"How reproducible:
In the upstream's repo, there is a proof-of-concept utility (https://sourceforge.net/p/libpgf/code/HEAD/tree/trunk/pgf ,
note: the bug is in the library, not in this utility).
Issuing the following commands with the attached crash.pgf:
 $ ./libpgf-code-136-trunk/pgf/build/src/pgf -d crash.pgf out.gif".

This is way outside Mägeia-land, and I do not think we should go there.
Must stop now, but I think clean update (not just install) should do.

CC: (none) => lewyssmith

Comment 2 David Walser 2018-12-31 22:01:14 CET 
That is weird.  It should show as required by digikam (specifically lib64digikamcore5 and lib64digikamdatabase5), but perhaps the version in Mageia 6 doesn't use it anymore (I was actually checking on Mageia 5).  If it's really not required, lemme know and I'll obsolete it in Cauldron.
Comment 3 David Walser 2019-01-01 17:46:49 CET 
Someone confirmed that it's not used in Cauldron, so just validate this for a clean update, and it'll be dropped for Mageia 7.
Comment 4 Lewis Smith 2019-01-01 19:57:20 CET 
M6 x64

Further to comments 1 and 2.
 $ urpmq --requires digikam | grep pgf
 $ 
 $ urpmq --requires lib64digikamcore5 | grep pgf
 $ 
 $ urpmq --requires lib64digikamdatabase5 | grep pgf
 $
So it is not used.

BEFORE update, installed: lib64pgf6-6.12.24-7.mga6
AFTER seamless update: lib64pgf6-6.12.24-7.1.mga6

Validating, advisorying.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2019-01-05 19:32:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0014.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.