Bug 24353 - libpng new security issue CVE-2019-7317
Summary: libpng new security issue CVE-2019-7317
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-12 14:00 CET by David Walser
Modified: 2019-04-05 20:14 CEST (History)
5 users (show)

See Also:
Source RPM: libpng-1.6.35-1.mga6.src.rpm
CVE:
Status comment: Patch available from Fedora


Attachments

Description David Walser 2019-02-12 14:00:39 CET
Fedora has issued an advisory today (February 12):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G4OKIHVFOCL7EQNRJ4RCCY2XFGKMQQF7/

Mageia 6 is also affected.
David Walser 2019-02-12 14:00:46 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-02-14 09:19:22 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Comment 2 Rémi Verschelde 2019-02-14 09:36:31 CET
Thanks, working on it now.
Comment 3 Rémi Verschelde 2019-02-14 09:40:57 CET
I could add the patch from Fedora, but it looks like upstream is about to release 1.6.37 with the fix (as of 6 hours ago [0]), so I'll wait for this version tag. It doesn't seem critical enough to warrant going faster than upstream, who usually patch things and release updates in a timely manner.

[0] https://github.com/glennrp/libpng/issues/275#issuecomment-463466236

Status: NEW => ASSIGNED

David Walser 2019-03-09 17:31:39 CET

Status comment: (none) => Patch available from Fedora

Comment 4 Rémi Verschelde 2019-03-29 10:51:39 CET
Well I changed my mind, the new upstream maintainer doesn't seem in a hurry to make a patch release fixing a known security vulnerability, so I'll backport the patch.
Comment 5 Rémi Verschelde 2019-03-29 11:09:54 CET
Fixed in Cauldron with libpng-1.6.36-2.mga7. Update candidate for Mageia 6 below:

Advisory:
=========

Updated libpng packages fix security vulnerability

  png_image_free in png.c in libpng 1.6.0 up to 1.6.36 had a use-after-free
  because png_image_free_function is called under png_safe_execute
  (CVE-2019-7317).

References:
 - https://github.com/glennrp/libpng/issues/275
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317


RPMs in core/updates_testing:
=============================

lib64png16_16-1.6.35-1.1.mga6
lib64png-devel-1.6.35-1.1.mga6

SRPM in core/updates_testing:
=============================

libpng-1.6.35-1.1.mga6

Whiteboard: MGA6TOO => (none)
Assignee: rverschelde => qa-bugs

Rémi Verschelde 2019-03-29 11:45:42 CET

Version: Cauldron => 6

Comment 6 Len Lawrence 2019-03-29 19:15:28 CET
mga6, x86_64

CVE-2019-7317
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
It appears that the reproducer needs to be run with fuzz_target_binary, a fuzzer which should be compiled with ASAN support so it is out of QA's reach.

Updated the packages.

There are 431 packages listed as depending on the library, among them blender, celestia, darktable, firefox, gif2png, gthumb, imagemagick and graphicsmagick, mplayer, virtualbox and a host of games.

Restarted firefox - all OK.
Ran a trace on darktable, which worked as expected.
$ grep libpng16 trace
open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libpng16.so.16.35.0", O_RDONLY) = 3

Opened and closed celestia and the trace file contained the same comments as above.

$ gif2png partlysunny.gif 
gif2png: 76 unused colors; convert with -O to remove
The resulting PNG image looked like a perfect copy of the GIF.
The trace contained "open("/lib64/libpng16.so.16", O_RDONLY|O_CLOEXEC) = 3"

This update is OK for 64 bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 7 Len Lawrence 2019-03-29 19:30:18 CET
It turns out that there is a documented QA procedure for this.
The comment 6 tests should be enough but we can add sam2p.
$ sam2p OrphanBlack.png tatiana.pdf
The output image can be viewed OK in okular or IM display.
Comment 8 José Jorge 2019-03-30 08:06:01 CET
Just opened some png files in gwenview... 32 bits.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
CC: (none) => lists.jjorge

Comment 9 Len Lawrence 2019-03-30 08:43:54 CET
Thanks José for the i586 tests here and elsewhere.  It is always comforting to have the dual architecture OKs.  We can validate this.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-04-04 15:36:35 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2019-04-05 20:14:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0126.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.