Fedora has issued an advisory on November 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KYWBUK3C43TIX3DXS26JX2XEVJSRXJDN/ The issue was fixed in this commit: https://src.fedoraproject.org/rpms/pngcheck/c/cc48791e34201caf7b686084b735d06cef66c974?branch=master Mageia 7 may also be affected.
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => zen25000Keywords: (none) => Triaged
Fixed in Cauldron. The patch does apply and it builds for Mga7. I have no idea if it affects Mga7, but seems logical that it does, so I will push it to updates testing after a quick functional test. Tomorrow :)
I just noticed that the original Fedora bug was against 2.3 so yes it does need fixing in Mga7 as well.
Status comment: (none) => assigned
pngcheck-2.3.0-4.1.mga7 has peen pushed to 7/core/updates_testing ##################### Advisory This update fixes a potential global buffer overflow in the check_chunk_name function via a crafted png file. ##################### References Fedora issued an advisory on November 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KYWBUK3C43TIX3DXS26JX2XEVJSRXJDN/ The issue was fixed in this commit: https://src.fedoraproject.org/rpms/pngcheck/c/cc48791e34201caf7b686084b735d06cef66c974?branch=master #################### Files affected pngcheck-2.3.0-4.1.mga7.i586 pngcheck-debuginfo-2.3.0-4.1.mga7.i586 pngcheck-debugsource-2.3.0-4.1.mga7.i586 pngcheck-2.3.0-4.1.mga7.x86_64 pngcheck-debuginfo-2.3.0-4.1.mga7.x86_64 pngcheck-debugsource-2.3.0-4.1.mga7.x86_64 Provided by: pngcheck-2.3.0-4.1.mga7.src.rpm #################### Testing A set of good and faulty .png files are available here: http://www.schaik.com/pngsuite/PngSuite-2017jul19.tgz (Extract to a new folder there are a lot!) The bad ones names all start with 'x' quite interesting ;)
Whiteboard: (none) => MGA7TOO
Assignee: zen25000 => qa-bugs
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7CC: (none) => zen25000
MGA7, x64 Installed pngcheck and the image test suite. $ rpm -q pngcheck pngcheck-2.3.0-4.mga7 Tested some of the provided images in batches with `pngcheck -7` and display. $ display xs2n0g01.png display: improper image header `xs2n0g01.png' @ error/png.c/ReadPNGImage/4288. $ pngcheck -7 xs2n0g01.png File: xs2n0g01.png (164 bytes) xs2n0g01.png this is neither a PNG or JNG image nor a MNG stream ERROR: xs2n0g01.png [ 1 ] Bug #1897485 - Private bug https://bugzilla.redhat.com/show_bug.cgi?id=1897485 So we are not going to find a reproducer. Ran update. $ rpm -q pngcheck pngcheck-2.3.0-4.1.mga7 Test all images quietly - only report bad images: $ pngcheck -q *.pngcm7n0g04.png invalid tIME year (1970) ERROR: cm7n0g04.png exif2c08.png illegal (unless recently approved) unknown, public chunk eXIf ERROR: exif2c08.png xc1n0g08.png invalid IHDR image type (1) ERROR: xc1n0g08.png xc9n2c08.png invalid IHDR image type (9) ERROR: xc9n2c08.png xcrn0g04.png: CORRUPTED by text conversion ERROR: xcrn0g04.png xcsn0g01.png CRC error in chunk IDAT (computed d02f14c9, expected 4353554d) ERROR: xcsn0g01.png xd0n2c08.png invalid IHDR sample depth (0) ERROR: xd0n2c08.png xd3n2c08.png invalid IHDR sample depth (3) ERROR: xd3n2c08.png xd9n2c08.png invalid IHDR sample depth (99) [...] This should find embedded PNG images in other files: $ pngcheck -s * OK: basi0g01-1 (32x32, 1-bit grayscale, interlaced, 100.0%). OK: basi0g02-1 (32x32, 2-bit grayscale, interlaced, 98.4%). OK: basi0g04-1 (32x32, 4-bit grayscale, interlaced, 99.2%). ...... xcsn0g01-1 CRC error in chunk IDAT (computed d02f14c9, expected 4353554d) xd0n2c08-1 invalid IHDR sample depth (0) xd3n2c08-1 invalid IHDR sample depth (3) xd9n2c08-1 invalid IHDR sample depth (99) OK: xdtn0g01-1 (32x32, 1-bit grayscale, non-interlaced, 96.9%). xhdn0g08-1 CRC error in chunk IHDR (computed 56112528, expected 4353554d) OK: z00n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%). OK: z03n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%). OK: z06n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%). OK: z09n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%). No errors were detected in 179 of the 179 files tested. We are probably not supposed to believe that last line - it may mean "no embedded images detected". ??? $ pngcheck -p tp*.png File: tp0n0g08.png (719 bytes) OK: tp0n0g08.png (32x32, 8-bit grayscale, non-interlaced, 29.8%). File: tp0n2c08.png (1594 bytes) OK: tp0n2c08.png (32x32, 24-bit RGB, non-interlaced, 48.1%). File: tp0n3p08.png (1476 bytes) PLTE chunk: 245 palette entries 0: ( 20, 20,109) = (0x14,0x14,0x6d) 1: (128, 86, 86) = (0x80,0x56,0x56) 2: (181,181,184) = (0xb5,0xb5,0xb8) 3: (168, 66, 66) = (0xa8,0x42,0x42) 4: (159,159,159) = (0x9f,0x9f,0x9f) 5: (177, 32, 32) = (0xb1,0x20,0x20) [....] 242: ( 10, 10, 96) = (0x0a,0x0a,0x60) 243: ( 0, 0,255) = (0x00,0x00,0xff) 244: (191,125,125) = (0xbf,0x7d,0x7d) tRNS chunk: 1 transparency entry 0: 0 = 0x00 OK: tp1n3p08.png (32x32, 8-bit palette+trns, non-interlaced, -44.8%). No errors were detected in 4 of the 4 files tested. $ pngcheck -f x*.png xc1n0g08.png invalid IHDR image type (1) ERROR: xc1n0g08.png xc9n2c08.png invalid IHDR image type (9) xc9n2c08.png private (invalid?) IDAT row-filter type (255) (warning) xc9n2c08.png private (invalid?) IDAT row-filter type (255) (warning) [....] xlfn0g04.png: CORRUPTED by text conversion ERROR: xlfn0g04.png xs1n0g01.png: CORRUPTED by text conversion ERROR: xs1n0g01.png xs2n0g01.png this is neither a PNG or JNG image nor a MNG stream ERROR: xs2n0g01.png OK: xs4n0g01.png (32x32, 1-bit grayscale, non-interlaced, -28.1%). xs7n0g01.png: CORRUPTED by text conversion ERROR: xs7n0g01.png Errors were detected in 13 of the 14 files tested. No errors were detected in 1 of the 14 files tested. No obvious regressions in all this. Giving this a 64-bit OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK
Validating update. Advisory pushed to SVN.
Keywords: Triaged => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0444.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This is CVE-2020-27818: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6X67BQ55SUAPPGYOKAMOSKREWWBB3IML/
Summary: pngcheck new security issue rhbz#1897485 => pngcheck new security issue rhbz#1897485 (CVE-2020-27818)