Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

update vulnerable libpng to fixed version?

2 views
Skip to first unread message

fer...@iib.unsam.edu.ar

unread,
Aug 4, 2004, 3:13:03 PM8/4/04
to
Hi!

according to this tech report
http://www.us-cert.gov/cas/techalerts/TA04-217A.html
there are a number of vulnerabilities in libpng that are
fixed in 1.2.6rc1

is an update of the port being worked on? I'm eager to do a
'portupgrade -r png'.

Fernan

--
Fernan Aguero - fernan at iib.unsam.edu.ar
Phone: +54 11 4580-7255/7 ext 310, Fax: +54 11 4752-9639
Check http://genoma.unsam.edu.ar/~fernan for more info.
_______________________________________________
freebs...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-port...@freebsd.org"

Alex...@leidinger.net

unread,
Aug 5, 2004, 5:43:12 AM8/5/04
to
On Wed, 4 Aug 2004 16:38:02 -0400
Charles Swiger <csw...@mac.com> wrote:

> I am unsure what the changes found in patch-pnggccrd.c do (what does
> "rim" (_const4) mean in x86 assembly, anyway?), but the program
> compiles and passes it's self-test without that patch.

---snip---
revision 1.4
date: 2004/07/24 10:12:36; author: ache; state: Exp; lines: +24 -2
Fix compiling with gcc 3.4

Submitted by: Andreas Kohn <and...@syndrom23.de>
----------------------------
revision 1.3
date: 2003/12/08 13:28:18; author: netchild; state: Exp; lines: +32 -13
Add patch to allow advanced optimizations with icc (portrevision bumped).

This patch was tested with icc and gcc, the bugtracker ID @sf is:
http://sourceforge.net/tracker/index.php?func=detail&aid=854293&group_id=5624&at
id=105624

Fix suggested by: Intel
Approved by: maintainer
---snip---

Bye,
Alexander.

--
I'm available to get hired (preferred in .lu).

http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7

csw...@mac.com

unread,
Aug 5, 2004, 11:16:22 AM8/5/04
to
Andrey Chernov wrote:
> On Wed, Aug 04, 2004 at 04:38:02PM -0400, Charles Swiger wrote:
[ ... ]
>> Here's a diff which updates the png port to 1.2.6rc1:
>
> We can't make public what is intentionally non-public, from
> libpng-1.2.6rc1-README.txt:
>
> Libpng 1.2.6rc1 - August 4, 2004
>
> This is not intended to be a public release. It will be replaced
> within a few weeks by a public version or by another test version.

Certainly it is OK by me if you want to wait for a few weeks; I've already
updated my systems which are using libpng. What you've said about the README
is topical and I acknowledge the point you make.

However, having 1.2.6rc1 listed as the recommended upgrade path in a CERT
advisory probably makes 1.2.6rc1 more public than it would have been,
otherwise. Speaking of which, the CERT advisory reads:

In the case of VU#388984, an attacker with the ability to introduce a
malformed PNG image to a vulnerable application could cause the
application to crash or could potentially execute arbitrary code with
the privileges of the user running the affected application.

I believe this means that the severity of the bug is critical in terms of
security, and that the exploit is as easy as having someone browse past a
malicious website containing a PNG image and/or opening a mail message
containing one (for someone running Mozilla, KDE's Mailwhichamacallit, etc).

I don't know that any exploits exist today which try to take advantage of the
issue, and I would expect the bad guys to target Windows first, Linux second,
and other platforms third-- but please, let's fix this sooner rather than
later by finding out the hard way that I was wrong.

--
-Chuck

ac...@nagual.pp.ru

unread,
Aug 5, 2004, 11:29:32 AM8/5/04
to
On Thu, Aug 05, 2004 at 11:16:06AM -0400, Chuck Swiger wrote:
> However, having 1.2.6rc1 listed as the recommended upgrade path in a CERT
> advisory probably makes 1.2.6rc1 more public than it would have been,
> otherwise. Speaking of which, the CERT advisory reads:
>
> In the case of VU#388984, an attacker with the ability to introduce a
> malformed PNG image to a vulnerable application could cause the
> application to crash or could potentially execute arbitrary code with
> the privileges of the user running the affected application.

Since CERT entry VU#388984 not points to any patch, I can only guess that
this bug is fixed by official 0-11 patches I commit several hours ago.

--
Andrey Chernov | http://ache.pp.ru/

csw...@mac.com

unread,
Aug 5, 2004, 12:09:55 PM8/5/04
to
Andrey Chernov wrote:

> On Thu, Aug 05, 2004 at 07:29:15PM +0400, Andrey Chernov wrote:
>> Since CERT entry VU#388984 not points to any patch, I can only guess that
>> this bug is fixed by official 0-11 patches I commit several hours ago.
[ ... ]
> "NOTE! This patch serves as demo purposes for the flaws only. An official
> v1.2.6 libpng with an official, slightly different fix will be released by
> the libpng team in parallel with this advisory."
>
> What is in 1.2.6 in that place is equal to 1.2.5 official patches. Patch
> from CESA is not used.

Perhaps CERT jumped the gun on releasing the advisory, before the libpng
people had a chance to fully test 1.2.6? You seem to be suggesting so, and it
wouldn't be the first time CERT has released something without full
coordination with the authors.

Anyway, if the issues identified in 1.2.5 are updated by patches which you're
commiting today, so much the better. Thanks for responding so quickly.

--
-Chuck

ac...@nagual.pp.ru

unread,
Aug 5, 2004, 12:16:00 PM8/5/04
to
On Thu, Aug 05, 2004 at 12:09:35PM -0400, Chuck Swiger wrote:
> Anyway, if the issues identified in 1.2.5 are updated by patches which
> you're commiting today, so much the better. Thanks for responding so
> quickly.

At least, I try their example image
http://scary.beasts.org/misc/pngtest_bad.png
with officially 0-11 patched 1.2.5 and it not crashes, but produces error.

--
Andrey Chernov | http://ache.pp.ru/

0 new messages