During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Info: https://rhn.redhat.com/errata/RHSA-2004-402.html ------- Additional Comments From marcdeslauriers 2004-08-04 17:04:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are packages for 7.3 and 9 that fix this issue: Changelog: * Wed Aug 04 2004 Marc Deslauriers <marcdeslauriers> 1.0.14-0.7x.7.legacy - - Replace the patches for individual security problems with the cumulative patch issued by the png developers. Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599. 7.3: 3bd0955ccf2df348f5cf00e624b2541d700581e1 libpng-1.0.14-0.7x.7.legacy.i386.rpm 5525eda4abd357f11b1b13f61102d8f7bad0b2a3 libpng-1.0.14-0.7x.7.legacy.src.rpm 176460abd71efdb04fc32ee6f7f7eb403bdb2916 libpng-devel-1.0.14-0.7x.7.legacy.i386.rpm 9: 35f4bb98acb97d3d50ff0539a8bc14a3cb95a5d4 libpng10-1.0.13-11.3.legacy.i386.rpm f175613c50acbfc00742a2ff2ba87c71fc56cfbc libpng10-1.0.13-11.3.legacy.src.rpm e20d5ceb0029095ecbdf0181f4c591ef748b2ae9 libpng10-devel-1.0.13-11.3.legacy.i386.rpm d664e002e1ec6edf5327e2c1630d9cece2b472bd libpng-1.2.2-20.2.legacy.i386.rpm f95ebd506e55f6cdba7c5da60c1cc0063860a813 libpng-1.2.2-20.2.legacy.src.rpm 4d2bc34a9d337618bfab1f8e6ada9a314ebf8894 libpng-devel-1.2.2-20.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-1.0.14-0.7x.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/libpng-devel-1.0.14-0.7x.7.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/libpng-1.2.2-20.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/libpng-devel-1.2.2-20.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-1.0.13-11.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/libpng10-devel-1.0.13-11.3.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBEaPBLMAs/0C4zNoRAspnAJ4ykoO+MMua20GaCsBhfPzPh8PODACfXMkI QbCblDM0+k4GM5oHsGl5xvg= =gqqY -----END PGP SIGNATURE----- ------- Additional Comments From michal 2004-08-06 10:53:50 ---- Created an attachment (id=798) piece which was dropped on the way to the current version Looking at sources what is available here is equivalent to what was in previous versions plus new fixes with an exception of one patch fragment. It came in libpng-1.0.9-badchunks.patch in older releases. It is attached here. I am not that sure that it is really no longer needed. In case one would want to apply it to the current version this should be done with 'patch -R ....'. ------- Additional Comments From dom 2004-08-11 13:06:07 ---- Having examined the rh7.3 patch I find the following: There seem to be some descrepancies between the patch you have included as libpng-1.0.14-security.patch and libpng-1.2.5-all-patches.txt which according to http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt is the correct patchset for 1.0.14. When both patches are applied the following differences reveal themselves (attached) Haven't looked at the 9 version - is that what you were comparing against Michal? Either way is there any reason why the recommended patch from the developers is not include verbatim with no other security patches? Cheers, ------- Additional Comments From dom 2004-08-11 13:07:24 ---- Created an attachment (id=808) differences between officially patched version and 7.3 SRPM 0.7x.7.legacy ------- Additional Comments From dwb7.edu 2004-08-12 10:43:04 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 libpng packages now available for QA for RH7.3: sha1sum -b libpng* b7053c46bd55f9100820b2423e524d05c9c022f1 *libpng-1.0.14-7.legacy.1.i386.rpm 6cc28880aeb2aa504add2b1fa454b358ef5fa7bb *libpng-1.0.14-7.legacy.1.src.rpm b925cbbd367cd5e5d13990679dd2c6bb99a2e54c *libpng-devel-1.0.14-7.legacy.1.i386.rpm Download from: http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/libpng - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBG9X0SY7s7uPf/IURAvFJAKC7pHeORngSbK1EqYqcaXFnP0D93wCeIPFY iZkxr/KtlOSCxKMLWDoyrXw= =HXKl -----END PGP SIGNATURE----- ------- Additional Comments From simon 2004-09-09 08:32:00 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 6cc28880aeb2aa504add2b1fa454b358ef5fa7bb libpng-1.0.14-7.legacy.1.src.rpm Inspected SPEC file - OK Checked patches against original from libpng for 1.0.14 (combined patch file minus patches for later versions up to 1.2.5) - OK BUILD - OK INSTALL - OK Appears to function normally with PHP (use verified via ldd) - OK +PUBLISH - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQKEZMLOCzgCQslsRAgSsAKCYow0EaKmsMmMhEWbl5nRbyqyOggCcDqpS 0sxbOp8IiHU+ZiaUkrmYyBw= =LO/n -----END PGP SIGNATURE----- ------- Additional Comments From simon 2004-09-09 08:39:33 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I forgot to mention the above was tested on Redhat 7.3 - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQKNBMLOCzgCQslsRAoAbAJ9Xac4pJ7/ZDV9Pz5s5w+kiOTzouQCfZMct ccSSQrQAbA5U8tcIXiXDe+g= =0Xg4 -----END PGP SIGNATURE----- ------- Additional Comments From cra 2004-10-21 16:16:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RH 7.3 packages from Dave Botsch: b7053c46bd55f9100820b2423e524d05c9c022f1 libpng-1.0.14-7.legacy.1.i386.rpm 6cc28880aeb2aa504add2b1fa454b358ef5fa7bb libpng-1.0.14-7.legacy.1.src.rpm b925cbbd367cd5e5d13990679dd2c6bb99a2e54c libpng-devel-1.0.14-7.legacy.1.i386.rpm I still see differences from the upstream patch, identical to the differences mentioned in comment #4. This is the upstream patch that should be applied to the 1.0.14 sources: http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.5-all-patches.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBeG08w2eg+Um7WIYRAoa8AJ0b5TJORCWIF/tI/jR9eKZ6eRcIYACeKQ5a DBp9BJuMyuiNd87ezD8J/YI= =no+B -----END PGP SIGNATURE----- ------- Additional Comments From cra 2004-10-21 17:55:35 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Additional QA for RH 7.3 packages from Dave Botsch: b7053c46bd55f9100820b2423e524d05c9c022f1 libpng-1.0.14-7.legacy.1.i386.rpm 6cc28880aeb2aa504add2b1fa454b358ef5fa7bb libpng-1.0.14-7.legacy.1.src.rpm b925cbbd367cd5e5d13990679dd2c6bb99a2e54c libpng-devel-1.0.14-7.legacy.1.i386.rpm I'm not sure the pkgconfig files should be there. They aren't in the original packages for 7.3. libpng.pc is also not correct, as it refers to libpng10: /usr/bin/pkgconfig /usr/lib/pkgconfig/libpng.pc: prefix=/usr exec_prefix=${prefix} libdir=${exec_prefix}/lib includedir=${exec_prefix}/include Name: libpng10 Description: Loads and saves PNG files Version: 1.0.14 Libs: -L${libdir} -lpng10 -lz -lm Cflags: -I${includedir}/libpng10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBeIR2w2eg+Um7WIYRAqooAJ9MHZqgKH6rkybJAzdLqc53LNabmgCfVbPY A+sgiqO91W7n8dwmTBRIKqs= =x5ef -----END PGP SIGNATURE----- ------- Additional Comments From cra 2004-10-21 18:31:20 ---- There are some interesting E:N-V-R versioning differences that we need to get right: Latest RH 7.3 errata: 2:libpng-1.0.14-0.7x.4.i386 2:libpng-devel-1.0.14-0.7x.4.i386 Latest RH 9 errata: (none):libpng10-1.0.13-11.i386 (none):libpng10-devel-1.0.13-11.i386 (provides libpng-devel = (none):1.0.13) 2:libpng-1.2.2-20.i386 2:libpng-devel-1.2.2-20.i386 Latest FC 1 errata: (none):libpng10-1.0.15-7.i386 (none):libpng10-devel-1.0.15-7.i386 (doesn't have virtual provides libpng-devel) 2:libpng-1.2.5-7.i386 2:libpng-devel-1.2.5-7.i386 The libpng packages need to maintain the Epoch: 2 for upgrades to work. libpng10 should remain with no Epoch for upgrades of those packages to work. What is up with the Provides: libpng-devel in the libpng10-devel packages? Do any other packages require a versioned libpng-devel anywhere? It seems like this was a packaging bug in RH 9, and the issue was avoided altogether in FC 1, where no Provides: libpng-devel is there at all. Perhaps the problem never arose in real life, because no one used versioned-requires on libpng-devel. ------- Additional Comments From cra 2004-10-25 06:17:01 ---- Answering my question about libpng10-devel providing libpng-devel, it appears we should remove the virtual provide: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110161 ------- Additional Comments From marcdeslauriers 2004-10-25 11:40:14 ---- Just thinking out loud here: what would happen if a package, included with rh9 or a third-party package for rh9, has a BuildRequires libpng = 1.0.13 in it? Are we absolutely sure we won't be breaking anything? ------- Additional Comments From cra 2004-10-25 12:13:13 ---- If there was, it would already break. The backwards compat package has a different version already. 7.3 has 2:libpng-1.0.14, and 9 has (none):libpng10-1.0.13. I don't think we should worry about exact versioned BuildRequires. ------- Additional Comments From jpdalbec 2004-10-29 03:02:28 ---- 04.42.26 CVE: CAN-2004-0955 Platform: Cross Platform Title: LibPNG Image Height Integer Overflow Description: LibPNG is the Portable Network Graphics (PNG) reference library. LibPNG is vulnerable to an integer overflow in the image height parameter. Debian has released a patch to fix this issue. The issue is fixed in version 1.0.12-3.woody. Ref: http://www.debian.org/security/2004/dsa-570 ------- Additional Comments From deisenst 2004-11-19 05:43:58 ---- According to http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt, libpng-1.2.5 is also affected by many of these issues. I am adding FC1 to the keyword list and we'll need to look into it further. ------- Additional Comments From cra 2004-11-19 06:00:06 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I built new 1.0.15 packages with the upstream patch included, and merged the spec files so all the various versions are the same except where needed. This should make future maintenance easier, especially once/if FC1 needs an update. I did end up including fixed pkgconfig files since they needed to be fixed for the other releases anyway. Upstream patch: http://heanet.dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.5-all-patches.txt RH 9: d1bb0af6be1ae41e161257ed285ea6a354155b42 libpng10-1.0.15-0.9.1.legacy.src.rpm 6d6897433536ede53467e04afd9ab817ce68813e libpng10-1.0.15-0.9.1.legacy.i386.rpm 77c7d796b821d10b9b937e3e079e54958d21d514 libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm ccc986bf6792fc3172479a2e353b732784672321 libpng10-debuginfo-1.0.15-0.9.1.legacy.i386.rpm http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-1.0.15-0.9.1.legacy.src.rpm http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-1.0.15-0.9.1.legacy.i386.rpm http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng10-debuginfo-1.0.15-0.9.1.legacy.i386.rpm RH 7.3: 38fa3e75ffc56dc7e6e0ecb3380a34e8f9469fb2 libpng-1.0.15-0.7x.1.legacy.src.rpm 096ae9361ea6411043e6b89dfc3ef83a77b8ef57 libpng-1.0.15-0.7x.1.legacy.i386.rpm 4093970919d5e13fd84ed4cd427f785b7cda834f libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-1.0.15-0.7x.1.legacy.i386.rpm http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-1.0.15-0.7x.1.legacy.src.rpm http://angus.ind.wpi.edu/~cra/fedora/legacy/libpng/libpng-devel-1.0.15-0.7x.1.legacy.i386.rpm * Mon Oct 25 2004 Charles R. Anderson <cra> 1.0.15-0.9.1.legacy - - Build for RH 9 * Fri Oct 22 2004 Charles R. Anderson <cra> 1.0.15-0 - - Sync RH 9 libpng10 and RH 7.x libpng package specs * Thu Oct 21 2004 Charles R. Anderson <cra> 1.0.14-0.7x.8.legacy - - Use upstream security patch 1.2.5 that is recommended for use with release 1.0.14. - - Fix previous two changelog entry's formatting * Thu Aug 12 2004 Dave Botsch <dwb7.edu> - - Added legacy keyword to release * Fri Jul 23 2004 Matthias Clasen <mclasen> 1.0.14-7 - - Replace the patches for individual security problems with the cumulative patch issued by the png developers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBfd7/w2eg+Um7WIYRAkvNAJ9V0CuQKX+lxXlNrjVMN3WHtufKlQCeOI26 qbR+Tjs3kh6M5fY/MTL18hs= =G1Jy -----END PGP SIGNATURE----- ------- Additional Comments From jpdalbec 2004-11-24 09:36:09 ---- If I build libpng10 from the source RPM, I get different --requires output from the previous version. Should this be cause for concern? (provides) -libpng10 = 1.0.13-11.1.legacy +libpng10 = 1.0.15-0.9.1.legacy (requires) /sbin/ldconfig /sbin/ldconfig libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1.3) -libm.so.6 -libm.so.6(GLIBC_2.0) -libz.so.1 I don't see differences in the ldd output. ------- Additional Comments From jpdalbec 2004-11-24 10:00:39 ---- Sorry, there was a bug in my summary script. It didn't run ldd against shared libraries. Now I do see ldd differences: -/usr/lib/libpng.so.2.1.0.13 +/usr/lib/libpng.so.2.1.0.15 libc.so.6 => /lib/tls/libc.so.6 /lib/ld-linux.so.2 => /lib/ld-linux.so.2 - libm.so.6 => /lib/tls/libm.so.6 - libz.so.1 => /usr/lib/libz.so.1 Should the gcc command to build the shared library have -lz -lm added to it? ------- Additional Comments From cra 2004-11-24 11:17:20 ---- The library should not have been linked against those libs. It is the responsibility of the program using the library to pull in libz and libm as needed. ------- Additional Comments From jpdalbec 2004-11-29 07:24:16 ---- f95ebd506e55f6cdba7c5da60c1cc0063860a813 libpng-1.2.2-20.2.legacy.src.rpm When I build this .src.rpm I get: libpng-1.2.2-20.2.legacy/usr/lib/libpng12.so.0.1.2.2: libz.so.1 => /usr/lib/libz.so.1 (0x40032000) libm.so.6 => /lib/tls/libm.so.6 (0x40040000) libc.so.6 => /lib/tls/libc.so.6 (0x42000000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000) Per comment 19 the .so should not be linked against libz or libm. ------- Additional Comments From rob.myers.edu 2004-11-29 10:26:42 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated libpng10 and libpng packages to QA for fc1: - - includes one extra patch from: http://dl.sourceforge.net/sourceforge/libpng/libpng-patch11-limit-dimensions.txt - - libpng-1.2.5 links to libm and libz, just as original package does - - libpng10-1.0.15-7.1.legacy.src.rpm source looks basically the same as libpng10-1.0.15-0.9.1.legacy.src.rpm, plus some cleanups and with a version high enough to update an fc1 machine. if the sources are going to be merged, perhaps an fc1 based version is most appropriate? changelogs: libpng10-1.0.15-7.1.legacy: * Mon Nov 29 2004 Rob Myers <rob.myers.edu> 1.0.15-7.1.legacy - - apply patch to limit dimensions (FL #1943) libpng-1.2.5-7.1.legacy: * Mon Nov 29 2004 Rob Myers <rob.myers.edu> 2:1.2.5-7.1.legacy - - apply patch to limit dimensions (FL #1943) sha1sums: e3522daec3945a01a9a637e8d76f957288ce0785 libpng10-1.0.15-7.1.legacy.i386.rpm 8e9781e86aa2a78eadccc3bdd5e8617102586910 libpng10-1.0.15-7.1.legacy.src.rpm 0be1100bf079c0c0a9b597d223fe9646aae32d0d libpng10-debuginfo-1.0.15-7.1.legacy.i386.rpm 8a9f21d6699f2842aa6f98af6135b0aca7c2b0a8 libpng10-devel-1.0.15-7.1.legacy.i386.rpm 9ae48e26207292c128699f89574219c69bc9157b libpng-1.2.5-7.1.legacy.i386.rpm 2e7b7891fcb418b03ccaf21296f2d9c6c3719bcb libpng-1.2.5-7.1.legacy.src.rpm 66bec2e649803284bff092f84138dceff81362ad libpng-debuginfo-1.2.5-7.1.legacy.i386.rpm 4f3537e04eb0c408c1fe78dd7477bfbb852967ad libpng-devel-1.2.5-7.1.legacy.i386.rpm files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-1.0.15-7.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-1.0.15-7.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-debuginfo-1.0.15-7.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng10-devel-1.0.15-7.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-1.2.5-7.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-1.2.5-7.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-debuginfo-1.2.5-7.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libpng-devel-1.2.5-7.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBq4WltU2XAt1OWnsRAqgqAJ0VS3GlC1GSWBrjn4chEUNA653AKgCgqVu7 jjedoDhw4efCQcl/+K1OUPk= =+q+l -----END PGP SIGNATURE----- ------- Additional Comments From jpdalbec 2004-11-29 10:36:26 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++PUBLISH RH7.3 ++PUBLISH RH9 d1bb0af6be1ae41e161257ed285ea6a354155b42 libpng10-1.0.15-0.9.1.legacy.src.rpm 38fa3e75ffc56dc7e6e0ecb3380a34e8f9469fb2 libpng-1.0.15-0.7x.1.legacy.src.rpm f95ebd506e55f6cdba7c5da60c1cc0063860a813 libpng-1.2.2-20.2.legacy.src.rpm libpng10-1.0.15-0.9.1.legacy.src.rpm: sha1 md5 gpg OK libpng-1.0.15-0.7x.1.legacy.src.rpm: sha1 md5 gpg OK libpng-1.2.2-20.2.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK Some ldd differences (an improvement, I'm told). GNOME works normally with the new libraries. Some new config files added to packages. libpng10 no longer owns /usr/lib/pkgconfig. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBq25mJL4A+ldA7asRAphtAJ9r+UgfNimE24yWMzhxpBDqm2EeywCgx/LA b9XCCCTeD8JPlA5Iu9pqFEo= =uNMG -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2004-12-08 19:40:26 ---- Part 1 of 2: FC1 libpng10: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA'ing Robs FC1 libpng10-1.0.15-7.1.legacy.src.rpm in comment 21: 8e9781e86aa2a78eadccc3bdd5e8617102586910 libpng10-1.0.15-7.1.legacy.src.rpm * sha1sum OK * rpm --checksig libpng10-1.0.15-7.1.legacy.src.rpm libpng10-1.0.15-7.1.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK * source file identical to libpng10-1.0.15.7.src.rpm from FC1 updates. * spec file looks great. Good idea placing a comment to designate Fedora legacy patches versus others in the spec file. * patch to limit dimensions good. In combination with previous patches, produces same patched source as is created by using the upstream's "all-patches" patch file. * Builds well. * Charles Anderson's rpm-build-compare script output looks reasonable for both output rpm packages. * Installs ok. * Runs okay. Tested with the pngtest.c program included, and with the gimp help browser, which is the only app. I know that uses libpng10. PUBLISH+ ============================================================================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBt+Ivxou1V/j9XZwRAtJQAKDOohZz5zDhE0/9wovGh5MDGNcPAgCdEXXQ 4y8DVZZ3vcCDazgxye/fn1I= =6nb+ -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2004-12-09 10:56:18 ---- Part 2 of 2: FC1 libpng: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA'ing Robs FC1 libpng-1.2.5-7.1.legacy.src.rpm in comment 21: 2e7b7891fcb418b03ccaf21296f2d9c6c3719bcb libpng-1.2.5-7.1.legacy.src.rpm * sha1sum OK * rpm --checksig libpng-1.2.5-7.1.legacy.src.rpm libpng-1.2.5-7.1.legacy.src.rpm: (sha1) dsa sha1 md5 gpg OK * source file identical to libpng-1.2.5-7.src.rpm from FC1 updates. * spec file looks good. Has proper %post and %postun for libraries. * patch to limit dimensions good. In combination with previous patches, produces same patched source as is created by using the upstream's "all-patches" patch file. * Builds well. * Charles Anderson's rpm-build-compare script output looks reasonable for both output rpm packages. * Installs ok. * Runs well. PUBLISH++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBuLtQxou1V/j9XZwRAlDzAKDs2EVIoU+KWFGwAw3JhVMpwVk7AgCfQs2U v0dYT/LmZlmePJbouiT68XE= =LytN -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2004-12-09 10:59:14 ---- Does this issue need further QA, or can it go on to the next stage? -David ------- Additional Comments From dom 2004-12-09 13:20:50 ---- Good to go IMO. I've moved it to the to-build list in issues.txt. ------- Additional Comments From dom 2004-12-09 13:57:17 ---- This isn't resolved yet. ------- Additional Comments From deisenst 2004-12-09 13:59:06 ---- Oh, okay. I guess the process is still a little unclear to me. Sorry. ------- Additional Comments From marcdeslauriers 2004-12-18 09:18:51 ---- Pushed to updates-testing ------- Additional Comments From jimpop 2004-12-19 22:03:03 ---- +VERIFIED 73 21a9a1d6e6ae60ffd6144c8bfbf5b2fb libpng-1.0.15-0.7x.1.legacy.i386.rpm Per instructions from David Eisenstein (thank you), I have used pngtest to verify libpng-1.0.15 on Redhat 7.3 - - - - - - - - - - - - - - - - - - - - - - - - Testing libpng version 1.0.15 with zlib version 1.1.4 libpng version 1.0.15 - October 3, 2002 Copyright (c) 1998-2002 Glenn Randers-Pehrson Copyright (c) 1996-1997 Andreas Dilger Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. library (10015): libpng version 1.0.15 - October 3, 2002 (header) pngtest (10015): libpng version 1.0.15 - October 3, 2002 (header) sizeof(png_struct)=680, sizeof(png_info)=288 Testing pngtest.png: Pass 0: rwrwrwrwrwrwrwrwrw Pass 1: rwrwrwrwrwrwrwrwrw Pass 2: rwrwrwrwrwrwrwrw Pass 3: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw Pass 4: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw Pass 5: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw rwrwrwrw Pass 6: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw rwrwrwrwrw PASS (9782 zero samples) Filter 0 was used 21 times Filter 1 was used 15 times Filter 2 was used 52 times Filter 3 was used 10 times Filter 4 was used 33 times tIME = 7 Jun 1996 17:58:08 +0000 libpng passes test - - - - - - - - - - - - - - - - - - - - - - - - ------- Additional Comments From jimpop 2004-12-20 11:22:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +VERIFIED 73 21a9a1d6e6ae60ffd6144c8bfbf5b2fb libpng-1.0.15-0.7x.1.legacy.i386.rpm Per instructions from David Eisenstein (thank you), I have used pngtest to verify libpng-1.0.15 on Redhat 7.3 - - - - - - - - - - - - - - - - - - - - - - - - - Testing libpng version 1.0.15 with zlib version 1.1.4 libpng version 1.0.15 - October 3, 2002 Copyright (c) 1998-2002 Glenn Randers-Pehrson Copyright (c) 1996-1997 Andreas Dilger Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. library (10015): libpng version 1.0.15 - October 3, 2002 (header) pngtest (10015): libpng version 1.0.15 - October 3, 2002 (header) sizeof(png_struct)=680, sizeof(png_info)=288 Testing pngtest.png: Pass 0: rwrwrwrwrwrwrwrwrw Pass 1: rwrwrwrwrwrwrwrwrw Pass 2: rwrwrwrwrwrwrwrw Pass 3: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw Pass 4: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw Pass 5: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw rwrwrwrw Pass 6: rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw rwrwrwrwrw PASS (9782 zero samples) Filter 0 was used 21 times Filter 1 was used 15 times Filter 2 was used 52 times Filter 3 was used 10 times Filter 4 was used 33 times tIME = 7 Jun 1996 17:58:08 +0000 libpng passes test - - - - - - - - - - - - - - - - - - - - - - - - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBxzkSuhh7yV/E9I4RAsDvAJ9e1e29HlLcYlVsn0fIQ0vIzTOUqQCdH69P e9ne8YhrjhZY3j/+/MQzzqo= =vdyw -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-22 04:44:10 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9: - rpm-build-compare looks good - packages install OK - pngtest passes the test (as comment #30) - a couple of apps which use libpng work ok. +VERIFY RHL9 d71f34a57a80386cdbe2bc9738f0e2b778c639e7 libpng10-1.0.15-0.9.1.legacy.i386.rpm e89ca650e1839e4ad3155097cf6c70e239befe7c libpng10-devel-1.0.15-0.9.1.legacy.i386.rpm 90c20c26388d2a32fb84433bff3d3abcd7010425 libpng-1.2.2-20.2.legacy.i386.rpm 360acd84d0b7e8bdf7e3358d3235bc67c28b1ba8 libpng-devel-1.2.2-20.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFByYgaGHbTkzxSL7QRAlEjAJ9b/oN8I+7S0MSm4KpzXBj/pLF1tACfVbWH ZakpC5B0xwreU4CYBqcCYew= =TVDR -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2004-12-22 15:41:46 ---- Created an attachment (id=951) Pekka's QA from comment 32, that verifies with PGP I removed white space from comment 32 so that it would pass PGP verification. In the attachment. ------- Additional Comments From rob.myers.edu 2005-01-05 08:35:24 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i took a look at the fc1 packages: 0afca5b729899b1fedeed263ddd2ac7aa506eb5b libpng10-1.0.15-7.1.legacy.i386.rpm 6a7a6ecaa0435e2254e48bc5ea4c2d1724d5b160 libpng10-devel-1.0.15-7.1.legacy.i386.rpm 8e28d39029ff88510d3899c2848273a76b6e71f4 libpng-1.2.5-7.1.legacy.i386.rpm 405443b2e0e56b3d5e5f3f9b6a89bd3a83c24afb libpng-devel-1.2.5-7.1.legacy.i386.rpm - gpg signature good - rpm-build-compare looks good - installs fine - works fine +VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB3DMetU2XAt1OWnsRAj45AKDjRo9Edxms0yObP4gTaXIkctFegACgvhUH ysEDKOQ3wOj2nVBWrcukxww= =4R9o -----END PGP SIGNATURE----- ------- Additional Comments From jimpop 2005-01-05 10:00:10 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +VERIFIED 73 Tested on RH73. PNG graph generation (via MRTG) works. 1c286b40e2ad76146a9a4480e9db26bc04aaadb7 libpng-1.0.15-0.7x.1.legacy.i386.rpm - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFB3ERauhh7yV/E9I4RAj0PAJ92wY+0G+k5mdwE2RSxog1JtDsWxACfQM3b I+ep8S7IqLA6brr/sRMiOvQ= =vv+K -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2005-01-08 15:07:22 ---- I believe these packages have enough VERIFIES (they have been verified for RH7.3, RH9 and FC1), so I am marking this issue VERIFIED. These should should be moved to updates. ------- Additional Comments From dom 2005-01-08 16:06:32 ---- For proofreading: http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt ------- Additional Comments From pekkas 2005-01-08 22:16:23 ---- Advisory looks good, but should we also reference CVE-2002-1363 such as Red Hat is doing, because the patch for that changed in the meantime (I think) ? ------- Additional Comments From dom 2005-01-09 02:26:40 ---- Have we fixed that though? I don't see anything in the bug history referencing that number. ------- Additional Comments From pekkas 2005-01-09 06:50:07 ---- AFAICS, the old patch (transfix) was one that RHEL21 replaced with a better patch from upstream, like we did. So, if RHEL21's patch was considered a better fix to CAN-2002-1363, maybe ours should be considered a better fix to that as well? ------- Additional Comments From deisenst 2005-01-10 15:12:57 ---- Created an attachment (id=964) Entire advisory (revision 007 29-Oct-04) for libpng-1.2.5 and earlier versions The enclosed file is the latest SECURITY ADVISORY available for the libpng packages we are patching here. Regarding the transfix patch, these two paragraphs seem relevant: "libpng-patch00-pngrtran-filler-RRGGBB-overflow.txt Fixes bug that was introduced in version 1.0.2 This bug was widely publicised in December 2002 and has been fixed in many Linux distributions. Mitre named this vulnerability CAN-2002-1363. Use to patch libpng-1.0.5 through 1.2.5 "libpng-patch01-pngrtran-filler-GG-overflow.txt Fixes bug that was introduced in version 1.0.2 This bug was also publicised around January 2003. Because of its similarity to patch00, there has been some confusion and hardly anyone has applied this patch. There was a flurry of bug reports about this in June 2004 when people noticed that only half of the problem had been fixed. Mitre has assigned a new name, CAN-2004-0768, to this vulnerability." I have gone ahead and checked all .src.rpm's that this bug report is patching and find that both libpng-patch00-pngrtran-filler-RRGGBB-overflow.txt and libpng-patch01-pngrtran-filler-GG-overflow.txt are included in the all of the patches. This implies that not only are we patching for CVE-2002-1363 (no longer CAN-2002-1363), but we are also patching here for CAN-2004-0768. I will change the title of this bug to reflect that. 12345678901234567890123456789012345678901234567890123456789012345678901234567890 ------- Additional Comments From deisenst 2005-01-10 15:48:37 ---- HOWEVER -- in reviewing all of the .src.rpm's, I discovered that the patch file for RH9's libpng-1.2.2-20.2.legacy.src.rpm in updates-testing (from comment 1) is out of date, from July, named "libpng-1.2.2-security.patch". The advisory mentioned in comment 41 indicates that the correct megapatch for libpng-1.2.2 should be "libpng-1.2.2-all-patches.txt". The difference between these two patch files is effectively the "libpng-patch11-limit-dimensions.txt", which is the patch that limits images to having no more than one million rows and one million columns. Upstream patch for libpng-1.2.2 for RH9: http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.2-all-patches.txt The other packages in updates-testing for RH9 (coming from libpng10-1.0.15-0.9.1.legacy.src.rpm in comment 16) are fine; that .src.rpm includes "libpng-1.2.5-all-patches.patch", which is the recommended megapatch for libpng-1.0.15. I will go ahead and release an updated libpng-1.2.2 srpm for RH9, using the upstream patch and post links to it here, hopefully later tonight. -David ------- Additional Comments From rob.myers.edu 2005-01-11 02:32:47 ---- re comment #37: typo found: --- 1943-libpng-draft.txt.orig 2005-01-11 07:26:21.000000000 -0500 +++ 1943-libpng-draft.txt 2005-01-11 07:26:44.000000000 -0500 @@ -106,7 +106,7 @@ http://download.fedoralegacy.org/redhat/9/updates/i386/libpng-devel-1.2.2-20.2.legacy.i386.rpm -Fedora Cope 1 +Fedora Core 1 SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libpng-1.2.5-7.1.legacy.src.rpm ------- Additional Comments From deisenst 2005-01-11 12:39:51 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated libpng source package to QA for RH9: - - - includes one extra patch from: http://dl.sourceforge.net/sourceforge/libpng/libpng-patch11-limit-dimensions.txt Instead of putting in the libpng-1.2.2-all-patches.txt from upstream, I elected to make a smaller change, and put in the "limit-dimensions" patch, as Rob did in comment 21. (It creates exactly the same patched source as the "all-patches" patch.) PLEASE NOTE: I don't run RH9, so am not able to test libpng-1.2.2-20.3.legacy binaries. Please test! changelog: * Tue Jan 11 2005 David Eisenstein <deisenst> 2:1.2.2-20.3.legacy - - apply patch to limit dimensions (Fedora Legacy Bugzilla # 1943), from upstream patch. * Wed Aug 4 2004 Marc Deslauriers <marcdeslauriers> 1.2.2-20.2.legacy - - Replace the patches for individual security problems with the cumulative patch issued by the png developers. Fixes CAN-2004-0597, CAN-2004-0598, CAN-2004-0599. * Tue Jun 18 2004 Marc Deslauriers <marcdeslauriers> 1.2.2-20.1.legacy - - Added better version of the patch for CAN-2002-1363 SHA1SUM NAME ======================================== =========================== 3b557f1624aefcf4ca11978b5a4e6278229b78d1 libpng-1.2.2-20.3.legacy.src.rpm file: http://members.gtw.net/~deisenst/legacy/RH9/SRPMS/libpng-1.2.2-20.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB5FK7xou1V/j9XZwRAob/AJ9sdNXuQ4hba0Ut5XTw1CB+fkLMaQCgpHM0 RsoaYaJvPMx8EyzF2sWgJ8w= =AGb4 -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-01-11 21:16:04 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA of David's RHL9 rpm: - sources OK - patch verified to be OK - spec file changes minimal - rebuilds fine on RHL9, installs fine - pngtest on pngtest.png passes the test +PUBLISH (+VERIFY) Just a question: is this stuff needed for libpng10 or libpng-1.0.x? I guess not? 3b557f1624aefcf4ca11978b5a4e6278229b78d1 libpng-1.2.2-20.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFB5M6hGHbTkzxSL7QRAmkZAJ9wXIorfv2C9Jrl58zVByN3SojXawCghzDk D20dCg45mjlFZRLwaDwqhNs= =sB1M -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2005-01-12 14:43:18 ---- Pekka - thanks for QA'ing! You asked: > Just a question: is this stuff needed for libpng10 or libpng-1.0.x? > I guess not? I think we're covered, Pekka. AFAICS, this stuff (the limit-dimensions patch) is included in the other four .src.rpm's: * libpng-1.0.15-0.7x.1.legacy.src.rpm has "libpng-1.2.5-all-patches.patch" from upstream, which includes limit-dimensions (cra, comment 16; also see attachment 964 [details]); * libpng10-1.0.15-0.9.1.legacy.src.rpm has the same patch as the 0.7x.1 .src.rpm package above (cra, comment 16); * The two FC1 .src.rpm's (from comment 21) have Rob's "libpng-patch11-limit-dimensions.patch" in addition to the slightly older security patch from upstream (from Red Hat's August 4th FC1 updates - see http://tinyurl.com/522ze). This combination of patches works fine (see comment 23, comment 24). ------- Additional Comments From deisenst 2005-01-20 12:38:44 ---- Created an attachment (id=970) Suggested changes to the advisory. Some suggested changes to Dominic's advisory in http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt dated 11-Jan-2005 12:39. ------- Additional Comments From deisenst 2005-02-01 23:41:34 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would say that we need no further QA to have this published to updates-testing. The limit-dimensions patch from comment 44 (for RHL 9's libpng) was a very small patch, Pekka has QA'ed this, and we have plenty of PUBLISH votes for other versions of this. I have reviewed and verified that all other packages have the limit-dimensions patch for their libpng and libpng10 packages. So the issue that Pekka raises in comment 45 is a non-issue (see comment 46). Dominic, please see the suggested wording changes in Attachment 970 for http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1943-libpng-draft.txt Have removed QA from this issue. Let's publish -> updates-testing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFCAJ+vxou1V/j9XZwRAspkAJ9NTAeUfW45imcgfadmPu717XzvmwCfaYEm sJSrQMWOsCwrLl62pgKibBs= =JMXm -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2005-02-01 23:51:56 ---- Oh. Another suggestion for 1943-libpng-draft.txt -- add Bug 1550 to the Cross References, ala: Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1550 https://bugzilla.fedora.us/show_bug.cgi?id=1943 Bug 1550 should be closed when this one is. ------- Additional Comments From deisenst 2005-02-02 16:28:08 ---- ALERT! It looks like someone moved * libpng-1.2.2-20.2.legacy.src.rpm, * libpng-devel-1.2.2-20.2.legacy.i386.rpm, and * libpng-devel-1.2.2-20.i386.rpm from updates-testing to updates for RH9. Instead, * libpng-1.2.2-20.3.legacy.src.rpm needs to be rebuilt for RH9, then either put into updates-testing (for further QA and VERIFY votes) or, if we feel it is sufficiently verified, placed directly into updates. I don't believe libpng-1.2.2-20.3 for RH9 was ever put into updates-testing. Does libpng-1.2.2-20.3 for RH9 need more VERIFY votes in addition to Pekka's in comment 45? I would vote no, but does anyone else have an opinion? ------- Additional Comments From dom 2005-02-03 03:10:31 ---- Sorry about this, looks like I screwed up. However I'm rather unwell now so not really able to think clearly about it. ------- Additional Comments From dom 2005-02-03 11:00:19 ---- libpng-1.2.2-20.3 for rh9 now available from the updates-testing repository. ------- Additional Comments From madhatter 2005-02-05 07:44:01 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 02/04/05 12:43:47 Updated: libpng-devel 2:1.2.2-20.3.legacy.i386 02/04/05 12:43:47 Updated: libpng 2:1.2.2-20.3.legacy.i386 installs OK, pngtest runs fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCBQWuePtvKV31zw4RAhECAJ9BREeWmeUcz1jH6xGOWYH098/8TQCfWyVy qYr7ROw8Qa4a44/F+trvEUo= =ZRmR -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-26 01:11:58 ---- Should this (or RHL9 in particular) be at "Packages that have been verified and should be fully released" category? ------- Additional Comments From deisenst 2005-02-26 18:44:40 ---- Actually, this bug has been fully verified and has been published to updates. It should be removed from Dominic's issues.txt. [FLSA-2005:1943] Updated libpng resolves security vulnerabilities: http://www.redhat.com/archives/fedora-legacy-list/2005-February/msg00093.html ------- Bug moved to this database by dkl 2005-03-30 18:26 ------- This bug previously known as bug 1943 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1943 Originally filed under the Fedora Legacy product and Package request component. Bug blocks bug(s) 1550. Attachments: piece which was dropped on the way to the current version https://bugzilla.fedora.us/attachment.cgi?action=view&id=798 differences between officially patched version and 7.3 SRPM 0.7x.7.legacy https://bugzilla.fedora.us/attachment.cgi?action=view&id=808 Pekka's QA from comment 32, that verifies with PGP https://bugzilla.fedora.us/attachment.cgi?action=view&id=951 Entire advisory (revision 007 29-Oct-04) for libpng-1.2.5 and earlier versions https://bugzilla.fedora.us/attachment.cgi?action=view&id=964 Suggested changes to the advisory. https://bugzilla.fedora.us/attachment.cgi?action=view&id=970 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.