Bug 12646 - libpng: Various vulnerabilites (CVE)
: libpng: Various vulnerabilites (CVE)
Status: NEW
Product: Maemo 5 Community SSU
general
: testing
: N900 Maemo
: Unspecified major (vote)
: ---
Assigned To: unassigned
: general
:
:
:
:
  Show dependency tree
 
Reported: 2012-08-10 15:34 UTC by Andre Klapper
Modified: 2013-02-19 21:17 UTC (History)
1 user (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description Andre Klapper (reporter) maemo.org 2012-08-10 15:34:49 UTC
Latest CSSU-Testing ships libpng12-0 1.2.37-1maemo3+0m5.

The "patches" subdirectory of
http://repository.maemo.org/pool/fremantle/free/libp/libpng3/libpng3_1.2.37-1maemo3+0m5.tar.gz
shows that
CVE-2010-0205, CVE-2010-1205, CVE-2010-2249 have been fixed in this package.
CVE-2011-0408, CVE-2011-3328, CVE-2011-3464 do not apply to this version.
CVE-2011-2690 likely does not apply either as I cannot find png_rgb_to_gray()
in the Maemo5 tarball.


I didn't check the Maemo codebase as I don't have that much time but I highly
assume that the following issues are still unfixed in Maemo:

CVE-2011-2501
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=65e6d5a34f49acdb362a0625a706c6b914e670af

CVE-2011-2691
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=9dad5e37aef295b4ef8dea39392b652deebc9261

CVE-2011-2692
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339

CVE-2011-3026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026
about png_decompress_chunk()
Fixed in upstream version 1.2.47 but I'm too stupid to isolate a patch.

CVE-2011-3045
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=a8c319a2b281af68f7ca0e2f9a28ca57b44ceb2b

CVE-2011-3048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
about png_set_text_2() in pngset.c.
Fixed in upstream version 1.2.49 but I'm too stupid to isolate a patch.
Comment 1 Ludek Finstrle 2013-02-19 21:17:13 UTC
freemangordon and me were upgrading libpng to 1.2.49.
It's in CSSU-devel right now.