Various versions of libpng through 1.5.11, 1.4.11, 1.2.49, and 1.0.59, respectively, set the top-level archive-extraction directory's permissions to be world-writable as part of the distcheck Makefile target's operations (configure-generated Makefile only). This could allow a local attacker on the build host to silently replace the extracted libpng library with a malicious version, conceivably poisoning an official binary distribution of libpng (though the likelihood of this is remote). This vulnerability has been assigned ID CVE-2012-3386 and is fixed in version 1.5.12 (and versions 1.4.12, 1.2.50, and 1.0.60, respectively, on the older branches), released 10 July 2012. The packages in Mageia 1, Mageia 2 has been updated to fix above problem. Mageia 1: libpng-1.2.50-1.mga1 Mageia 2: libpng-1.5.12-1.mga2, libpng12-1.2.50-1.mga2
Whiteboard: (none) => MGA1TOO
I'm all for doing security updates obviously, but is this update really needed? CVE-2012-3386 doesn't affect users of libpng, only people building it, and it actually affects almost every package in the distribution (and we're obviously not issuing updates for everything). Also, if we issue the update for automake (Bug 6749), anyone that wants to build libpng or anything else locally can avoid the vulnerability by regenerating Makefile.in with automake.
CC: (none) => luigiwalser
# urpmq -a lib64png lib64png-devel lib64png12-devel lib64png12_0 lib64png15_15 lib64pnglite-devel lib64pnglite0 Which of these have been updated please?
looking at the changelog ML I think it's all of them apart from the pnglite ones libpng and libpng12 appear to have been updated. # urpmf --sourcerpm --media Release libpng lib64png-devel:libpng-1.5.10-1.mga2.src.rpm lib64png15_15:libpng-1.5.10-1.mga2.src.rpm lib64png12_0:libpng12-1.2.49-1.mga2.src.rpm lib64png12-devel:libpng12-1.2.49-1.mga2.src.rpm libpng-debug:libpng-1.5.10-1.mga2.src.rpm libpng12-debug:libpng12-1.2.49-1.mga2.src.rpm libpnglite0:pnglite-0.1.17-2.mga2.src.rpm libpnglite-devel:pnglite-0.1.17-2.mga2.src.rpm libpng-devel:libpng-1.5.10-1.mga2.src.rpm libpng15_15:libpng-1.5.10-1.mga2.src.rpm libpng12-devel:libpng12-1.2.49-1.mga2.src.rpm libpng12_0:libpng12-1.2.49-1.mga2.src.rpm libpng-debug:libpng-1.5.10-1.mga2.src.rpm libpng12-debug:libpng12-1.2.49-1.mga2.src.rpm
tested lib64png12 with xv(open image) and lib64png15 with qrencoder(produce che qr code in png). Test ok. Stblack
CC: (none) => stblackWhiteboard: MGA1TOO => MGA1TOO, MGA2-64-OK
I agree with David here. This security problem does not affect Mageia. No update needed.
CC: (none) => malo
Thankyou both. Assigning Funda, could you please remove the updates from Testing if you agree and close the bug. Thanks.
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
(In reply to comment #6) > Thankyou both. > > Assigning Funda, could you please remove the updates from Testing if you agree > and close the bug. > > Thanks. reassign to sysadmin then (In reply to comment #0) > Mageia 1: libpng-1.2.50-1.mga1 > Mageia 2: libpng-1.5.12-1.mga2, libpng12-1.2.50-1.mga2
Component: Security => RPM PackagesAssignee: fundawang => sysadmin-bugsSummary: [Update Request] Update libpng[,12] to fix CVE-2012-3386 => remove package in Update testing: libpng[,12]
Removed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED