The newest version available in 2010.2/main/updates is libglpng1-1.45-4.1mdv2010.1 so this package doesn't get upgraded when upgrading to Mageia 1.
This is due to a security patch that was added in the MDV package that was missed by Mageia. It is also missing in the Cauldron version of this package. The patch is available in Mandriva's SVN: http://svn.mandriva.com/svn/packages/cooker/libglpng/current/SOURCES/libglpng-1.45-CVE-2010-1519.diff
Component: RPM Packages => Security
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => dmorganec, fundawang
The security advisory is here: http://lists.mandriva.com/security-announce/2010-09/msg00013.php
Assignee: bugsquad => dmorganec
Status: NEW => ASSIGNED
done and pushed in the BS
Assignee: dmorganec => qa-bugs
Testing complete on i586 for the srpm libglpng-1.45-5.2.mga1.src.rpm No poc for the cve, so just testing that it works. According to urpmq --whatrequires libglpng1 the only package using this library is chromium. The game chromium-bsu works, so testing complete.
CC: (none) => davidwhodgins
I can second Dave Hodgins' report that it works on i586 by playing chromium-bsu.
Testing complete on x86_64 Advisory ------------- This update addresses the folloving CVE: - CVE-2010-1519 Multiple integer overflows in glpng.c in glpng 1.45 allow context-dependent attackers to execute arbitrary code via a crafted PNG image, related to (1) the pngLoadRawF function and (2) the pngLoadF function, leading to heap-based buffer overflows. ------------- SRPM: libglpng-1.45-5.2.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED