Bug 3264 - Updated libpng package to fix several CVE issues
Summary: Updated libpng package to fix several CVE issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
: 3263 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-11-04 14:16 CET by Funda Wang
Modified: 2011-11-07 18:21 CET (History)
3 users (show)

See Also:
Source RPM: libpng-1.2.46-1.mga1
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Funda Wang 2011-11-04 14:16:36 CET 
Some vulnerabilities were discovered and corrected in libpng:

* All released versions of libpng (from 1.0 onward) have a buffer overrun in the code that promotes palette images with transparency (1 channel) to grayscale+alpha images (2 channels), but only for applications that call png_rgb_to_gray() and not png_set_expand(). (None are known.) An arbitrary amount of memory may be overwritten in this case, with arbitrary (attacker-controlled) data. This vulnerability has been assigned ID CVE-2011-2690. 

* libpng 1.2.20 and later crashes in png_default_error() due to internal use of a NULL pointer instead of the empty string (""). This vulnerability has been assigned ID CVE-2011-2691. 

* Many (most?) versions of libpng read uninitialized memory when handling empty sCAL chunks, and they handle malformed sCAL chunks (those lacking a delimiting NULL between the internal strings) incorrectly. This vulnerability has been assigned ID CVE-2011-2692.

The updated packages have been updated to latest stable version to correct these
issues, plus other bug fixes.
Comment 1 Funda Wang 2011-11-04 14:17:48 CET 
@distrib-admins, the reason I updated the version rather using CVE patches, is that most other distros are upgrading rather patches for these issues.
Comment 2 Manuel Hiebel 2011-11-04 16:15:21 CET 
Hello, duplicate of bug 3263 no ? :)
Comment 3 Funda Wang 2011-11-04 16:49:00 CET 
*** Bug 3263 has been marked as a duplicate of this bug. ***
Comment 4 Dave Hodgins 2011-11-05 20:56:42 CET 
Testing complete on i586 for the srpm
libpng-1.2.46-1.mga1.src.rpm

No POC, so just confirming xv *.png works.

CC: (none) => davidwhodgins

Comment 5 claire robinson 2011-11-07 12:01:41 CET 
Tested OK x86_64

Advisory
-----------------
Some vulnerabilities were discovered and corrected in libpng:

* All released versions of libpng (from 1.0 onward) have a buffer overrun in
the code that promotes palette images with transparency (1 channel) to
grayscale+alpha images (2 channels), but only for applications that call
png_rgb_to_gray() and not png_set_expand(). (None are known.) An arbitrary
amount of memory may be overwritten in this case, with arbitrary
(attacker-controlled) data. This vulnerability has been assigned ID
CVE-2011-2690. 

* libpng 1.2.20 and later crashes in png_default_error() due to internal use of
a NULL pointer instead of the empty string (""). This vulnerability has been
assigned ID CVE-2011-2691. 

* Many (most?) versions of libpng read uninitialized memory when handling empty
sCAL chunks, and they handle malformed sCAL chunks (those lacking a delimiting
NULL between the internal strings) incorrectly. This vulnerability has been
assigned ID CVE-2011-2692.

The updated packages have been updated to latest stable version to correct
these issues, plus other bug fixes.
-------------------

SRPM: libpng-1.2.46-1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2011-11-07 18:21:50 CET 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.