Bug 121750 - CAN-2004-0421 libpngng 1.2.5 released, contains DoS fix
CAN-2004-0421 libpngng 1.2.5 released, contains DoS fix
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: libpng (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Matthias Clasen
ftp://swrinde.nde.swri.edu/pub/png/sr...
: Security
: 99052 122329 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-27 06:38 EDT by Robert Scheck
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-19 11:11:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
libpng-1.2.5-rhconf.patch (2.95 KB, patch)
2004-04-27 13:49 EDT, Robert Scheck
no flags Details | Diff
libpng-1.2.5-oob_error_message.patch (832 bytes, patch)
2004-05-03 06:53 EDT, Robert Scheck
no flags Details | Diff
libpng-1.2.5-rhconf.patch (3.38 KB, patch)
2004-05-15 07:37 EDT, Robert Scheck
no flags Details | Diff
libpng-1.2.5-oob_error_message.patch (830 bytes, patch)
2004-05-15 07:39 EDT, Robert Scheck
no flags Details | Diff

  None (edit)
Description Robert Scheck 2004-04-27 06:38:53 EDT
Description of problem:
libpng 1.2.5 was released last year in October and Fedora Development
is hanging around 1.2.2. 1.2.5 contains lots of fixes to 1.2.4 and 
even mor to 1.2.2, for more have a look to 
ftp://swrinde.nde.swri.edu/pub/png/src/libpng-1.2.5-README.txt and
to the changelog.

Version-Release number of selected component (if applicable):
libpng-1.2.2-19.1

Actual results:
For me, a simple update to 1.2.5 worked very well.

Expected results:
Upgrade to 1.2.5 ;-)
Comment 1 Robert Scheck 2004-04-27 13:48:02 EDT
Oops, I was such happy, that I wasn't forced to do patch merging, so 
I didn't saw the bad makefile solution...

I wrote a patch (attached), that works for me perfect, that are my 
changes in the spec file:

--- libpng.spec         2004-03-02 22:41:43.000000000 +0100
+++ libpng.spec.rsc     2004-04-27 19:49:26.000000000 +0200
@@ -1,12 +1,11 @@
 Summary: A library of functions for manipulating PNG image format files.
 Name: libpng
-Version: 1.2.2
-Release: 19.1
+Version: 1.2.5
+Release: 1
 License: OSI certified
 Group: System Environment/Libraries
 Source: ftp://swrinde.nde.swri.edu/pub/png/src/libpng-%{version}.tar.bz2
-Source2: ftp://swrinde.nde.swri.edu/pub/png/src/libpng-1.2.2patch03-makefiles.tar.gz
-Patch0: libpng-1.2.2-rhconf.patch
+Patch0: libpng-1.2.5-rhconf.patch
 Patch1: libpng-1.0.9-badchunks.patch
 Patch2: libpng-1.2.2-libdirfix.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -43,8 +41,6 @@

 %prep
 %setup -q
-## dump in the fixed makefiles (remove this with 1.2.3, presumably)
-(cd scripts && tar zxf %{SOURCE2})

 ln -s scripts/makefile.linux Makefile
 %patch0 -p1 -b .rhconf
@@ -58,15 +54,6 @@
 rm -rf $RPM_BUILD_ROOT

 make install prefix=$RPM_BUILD_ROOT/usr LIBPATH=$RPM_BUILD_ROOT%{_libdir}
-mkdir -p $RPM_BUILD_ROOT%{_mandir}/man{3,5}
-install -c -m 644 *.3 $RPM_BUILD_ROOT%{_mandir}/man3
-install -c -m 644 *.5 $RPM_BUILD_ROOT%{_mandir}/man5
-
-ln -s libpng12/png.h $RPM_BUILD_ROOT%{_includedir}
-ln -s libpng12/pngconf.h $RPM_BUILD_ROOT%{_includedir}
-
-# I don't know what this is doing here.
-rm -f $RPM_BUILD_ROOT%{_mandir}/man5/libpng.so*

 %post -p /sbin/ldconfig

@@ -80,6 +67,7 @@

 %files devel
 %defattr(-,root,root)
+%{_bindir}/*
 %{_includedir}/*
 %{_libdir}/libpng*.a
 %{_libdir}/libpng*.so
Comment 2 Robert Scheck 2004-04-27 13:49:30 EDT
Created attachment 99719 [details]
libpng-1.2.5-rhconf.patch
Comment 3 Alan Cox 2004-05-02 19:11:23 EDT
Marking as enhancement as its too close to FC2 to go changing packages now
Comment 4 Robert Scheck 2004-05-03 06:52:51 EDT
Here's a fix for CVE CAN-2004-0421 for libpng 1.2.5 that can be
applied to the patch above.

--- libpng.spec.rsc     2004-05-03 11:16:25.000000000 +0200
+++ libpng.spec.rsc2    2004-05-03 12:56:27.000000000 +0200
@@ -8,6 +8,7 @@
 Patch0: libpng-1.2.5-rhconf.patch
 Patch1: libpng-1.0.9-badchunks.patch
 Patch2: libpng-1.2.2-libdirfix.patch
+Patch3: libpng-1.2.5-oob_error_message.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-root
 BuildPrereq: zlib-devel
 Provides: libpng.so.3
@@ -46,6 +47,7 @@
 %patch0 -p1 -b .rhconf
 %patch1 -p1 -b .badchunk
 %patch2 -p1 -b .libdirfix
+%patch3 -p1 -b .oob_error_message

 %build
 make ZLIBLIB=%{_libdir} RPM_OPT_FLAGS="$RPM_OPT_FLAGS" LIBPATH=%{_libdir}
Comment 5 Robert Scheck 2004-05-03 06:53:57 EDT
Created attachment 99904 [details]
libpng-1.2.5-oob_error_message.patch
Comment 6 Robert Scheck 2004-05-03 07:30:29 EDT
Oh...I saw at current, that there is no fix for CVE CAN-2004-0421 for 
libpng 1.2.2 in the Fedora Development tree/Rawhide. So please solve
this security issue either with a rebuild of the latest libpng from 
RH9/RHEL or use this solution.
Comment 7 Mark J. Cox (Product Security) 2004-05-06 05:36:33 EDT
*** Bug 122329 has been marked as a duplicate of this bug. ***
Comment 8 Robert Scheck 2004-05-15 07:37:47 EDT
Created attachment 100245 [details]
libpng-1.2.5-rhconf.patch

Yeah, we've got to link against zlib using -lz
Comment 9 Robert Scheck 2004-05-15 07:39:11 EDT
Created attachment 100246 [details]
libpng-1.2.5-oob_error_message.patch

Okay, we use the reworked patch also in 1.2.5
Comment 10 Matthias Clasen 2004-05-19 09:33:56 EDT
*** Bug 99052 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.