Bug 152707 - libpng denial-of-service CAN-2004-0421
libpng denial-of-service CAN-2004-0421
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, rh72, rh73, rh80
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-30 15:01 EDT by Barry K. Nathan
Modified: 2014-01-21 17:51 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:03:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:24:43 EST
Discussed in RHSA-2004-181 for Red Hat 9 (linked from this bug). I guess it also
affects 7.2 through 8.0 but I don't know for sure.



------- Additional Comments From skvidal@phy.duke.edu 2004-04-30 19:19:06 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
d092586385aaff326762a985d7f41f1c  libpng-1.0.14-0.7x.4.legacy.0.i386.rpm
ef7676c3a4e8c24eb80fa3b9b7055d06  libpng-1.0.14-0.7x.4.legacy.0.src.rpm
7fe890cf86cb9a07830e75f249777bf0  libpng-devel-1.0.14-0.7x.4.legacy.0.i386.rpm
  
libpng - used something like the patches from rhl9 - needed some
modifications to work, though.
  
Please QA - these were built on rhl 7.3 - probably will work on 7.2
 
http://linux.duke.edu/~skvidal/RPMS/legacy/libpng/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAkzM01Aj3x2mIbMcRAt9dAJ4+lQYgc6khyZpwMHbQWJoY0MXB9ACcCcED
Plr85VfFlAbeHgA8vTdQwNI=
=SKNo
-----END PGP SIGNATURE-----




------- Additional Comments From skvidal@phy.duke.edu 2004-04-30 20:14:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
new packages with new number
456c4b525e5a3bda6acf9e0765b548d8  libpng-1.0.14-0.7x.5.legacy.i386.rpm
377ceac380cb49cd3d1071449679c7f8  libpng-1.0.14-0.7x.5.legacy.src.rpm
ae2a64188629948a4a02407214b72e77  libpng-devel-1.0.14-0.7x.5.legacy.i386.rpm
 
same url
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAk0BJ1Aj3x2mIbMcRArefAJoDfj6rjyRsFM1JTDC4VpfTX14ODwCeIS/j
6Xe13MKEprZa6bpzMtZwWUM=
=diON
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2004-05-01 14:16:57 ----

There is this minor nit that libpng-1.0.13-oob_error_message.patch is clearly
for libpng-1.0.14 hence, following "traditional" conventions, it should be
called libpng-1.0.14-oob_error_message.patch.  Other than that it looks to
me "obviously correct".

I am also running right now corresponding binaries and then look to me just
fine.




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-04 06:47:47 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5sum of the SRPM I rebuilt:

377ceac380cb49cd3d1071449679c7f8  libpng-1.0.14-0.7x.5.legacy.src.rpm

Built srpms on 7.3. Installed built binaries. Seems happy.
- -DWB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl8jMSY7s7uPf/IURAj33AKC858+jtFz+eUFz273MGS1JHZdnygCgpR2t
CwIc6hMjxXKtykdclbX+6Rg=
=lK21
-----END PGP SIGNATURE-----




------- Additional Comments From skvidal@phy.duke.edu 2004-05-04 19:12:31 ----

Michal, DWB,  if you're both happy enough can we get a clearsigned PUBLISH so
this one can move ahead?

thanks




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-05 11:13:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PUBLISH libpng

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAmVkISY7s7uPf/IURAi65AKCrlMyayHxRvFc50D/rZNtsiU1lRQCeO2G4
clOmknB4qjHGtgaV/WFbD2g=
=pxj7
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-05-05 16:41:38 ----

Will have to make a package for 8.0, most likely a direct rebuild of 9's package.



------- Additional Comments From jkeating@j2solutions.net 2004-05-19 17:25:10 ----

RHL 8.0 packages that resolve this issue.  Please QA for updates-testing.

http://geek.j2solutions.net/rpms/legacy/libpng/

a3caa5b845fe43495436cd193af7a05077ec57b3  8.0/libpng-1.2.2-20.8.0.legacy.i386.rpm
723379d0ecec3d5ccc217eb9b1719163232e348f  8.0/libpng-1.2.2-20.8.0.legacy.src.rpm
a726f35aa54b33f362ce9dcf841522409eea04e8 
8.0/libpng-devel-1.2.2-20.8.0.legacy.i386.rpm

8ea391b41760c4d81475c414a3df38297cf6e7cf  8.0/libpng10-1.0.13-11.8.0.legacy.i386.rpm
dea84ccd8ddf1c151718e22e753a9fd4ebeea45e  8.0/libpng10-1.0.13-11.8.0.legacy.src.rpm
0f804e41e0e381fdeb9de7c923c55303558d79ea 
8.0/libpng10-devel-1.0.13-11.8.0.legacy.i386.rpm

93049b1bec2bcd6e6d41afe05357d2d299adb332  8.0/sha1sums



------- Additional Comments From marcdeslauriers@videotron.ca 2004-05-24 07:59:39 ----

This is odd....it appears the RHL9 version of libpng10 that you used to make the
RHL8.0 packages are missing the libpng-1.0.12-transfix.patch that was added to
the RHL8.0 rpms as a security fix:

https://rhn.redhat.com/errata/RHSA-2003-006.html

So apparently RHL9 has always been vulnerable to that advisory...

Sould we add this to all the packages?



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-05 06:36:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested rh7.3 package:

096187b4548f6032d9498a574ae1a2b33a3c952b  libpng-1.0.14-0.7x.5.legacy.src.rpm

- - md5sums match
- - spec file looks good
- - patch looks good
- - builds OK
- - installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwfZuLMAs/0C4zNoRArxHAJ9GJyeP+/xVkwbSToiK7gS3WV7VkQCeIjEF
eKrLhYAaqRo34UOVaXPG9G4=
=caP6
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-08 12:30:00 ----

OK, I've done a little more investigating... :)

The 7.3 packages do have the libpng-1.0.12-transfix.patch patch.
The patch fixes CAN-2002-1363.

It seems the patch was added as a security update to <= rh8.0 when rh9 was beta.
When 9 officially came out, nobody ever applied it. Fedora Core doesn't even
have this patch as it evolved from the rh9 packages.





------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-08 12:33:34 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are rh9 packages with the CAN-2002-1363 fix.

Changelog:
* Tue Jun 08 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.0.13-11.1.legacy
- - Added long lost patch for CAN-2002-1363

8405cca99e1b6cc8f4441322d7af49735f3cfcaf  libpng10-1.0.13-11.1.legacy.i386.rpm
613450ec81f51f9589a1f058d043d024afe80484  libpng10-1.0.13-11.1.legacy.src.rpm
65eb0f6835f94b2c4e715a6110d4c47ebb5f83ed  libpng10-devel-1.0.13-11.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-devel-1.0.13-11.1.legacy.i386.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAxj60LMAs/0C4zNoRAsmIAKCqEFP4k5TdooNOCqfOybblv6oVMQCdGwLv
817EVjkbRuu6F3U1c3r66eY=
=RhNE
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-06-08 12:38:59 ----

To comment #11, so it would appear that FC1 is in need of this patch?  Please
confirm and I'll contact Red Hat security team.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-08 12:48:10 ----

Yes, FC1, FC2, and RHEL3 are all missing this patch.




------- Additional Comments From jkeating@j2solutions.net 2004-06-08 12:59:21 ----

Email sent to Red Hat about this issue.



------- Additional Comments From skvidal@phy.duke.edu 2004-06-09 18:21:16 ----

So we need 2 QAs on the version for 9 and we're ready to go?




------- Additional Comments From jkeating@j2solutions.net 2004-06-16 17:47:06 ----

9 package for libpng10 pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
147dea7dbd723e9260acc770ce93aa7ab68c277c 
9/updates-testing/SRPMS/libpng10-1.0.13-11.1.legacy.src.rpm
704af3eb2cdd53c6860cae248c56ce85c410c729 
9/updates-testing/i386/libpng10-1.0.13-11.1.legacy.i386.rpm



------- Additional Comments From jkeating@j2solutions.net 2004-06-16 18:04:57 ----

Also for RHL 7.3:

  http://download.fedoralegacy.org/redhat/
 
20619750b9d6f5fb4fa4cfaad6ff31f3280372bb 
7.3/updates-testing/SRPMS/libpng-1.0.14-0.7x.5.legacy.src.rpm
5a1ff70a2deb721b370bbcacff4ef3a1ee3f79ce 
7.3/updates-testing/i386/libpng-1.0.14-0.7x.5.legacy.i386.rpm



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-18 11:32:59 ----

I'll have to make new packages for 9 and 7.3

Red Hat have released a revised transfix-patch better than the original one,
they found another case with a wrong offset in the code.

Also, I missed making a libpng-1.2.2 for rh9, as it contains the vulnerability also.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-18 12:03:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are new packages for 7.3 and 9 with the revised patch:

* Fri Jun 18 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
1.0.14-0.7x.6.legacy
- - Added better version of the patch for CAN-2002-1363

7.3:
c624266b9ff65cd2c12eb5982dccb08290ee2ab5  libpng-1.0.14-0.7x.6.legacy.i386.rpm
2fcfd04bc5390da7fa8462cf1b04b99f854275fa  libpng-1.0.14-0.7x.6.legacy.src.rpm
f38af818a4a48e635c8c41c4fce4b3efe6ef1743  libpng-devel-1.0.14-0.7x.6.legacy.i386.rpm

9:
d6275e9712d8b3fed38e4dee3e5da1571743d25d  libpng10-1.0.13-11.2.legacy.i386.rpm
4a14ccd3d07fda38ce170104bc5634c87d12c8d8  libpng10-1.0.13-11.2.legacy.src.rpm
61948dd03bd2042886e88d5f5af0bb5f69ac5ca3  libpng10-devel-1.0.13-11.2.legacy.i386.rpm
4b677249a4293cbc56774e24ed7a1229a32bbb6e  libpng-1.2.2-20.1.legacy.i386.rpm
9247222e6a5c9bae29a0c066a28af33e24d63068  libpng-1.2.2-20.1.legacy.src.rpm
5d7b5019ff6c9b889e12c1228684abf235605ce7  libpng-devel-1.2.2-20.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-devel-1.0.14-0.7x.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng-devel-1.2.2-20.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-devel-1.0.13-11.2.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA02ajLMAs/0C4zNoRAh/qAJ4jq/JgbpI9kTFzZ2EO6LRnViI9IgCeJd9k
2+CeVut6JJCbLOeJBhQHCho=
=WSdb
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-08-04 17:05:39 ----

This bug has been replaced by bug 1943



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:24 -------

This bug previously known as bug 1550 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1550
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 1943.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.