Change History (14)
comment:1 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 5 years ago
| Priority: | normal → high |
|---|---|
| Summary: | libpng-1.6.37 → libpng-1.6.37 (CVE-2019-7317, CVE-2018-14048, CVE-2018-14550) |
comment:3 by , 5 years ago
| Priority: | high → normal |
|---|---|
| Summary: | libpng-1.6.37 (CVE-2019-7317, CVE-2018-14048, CVE-2018-14550) → libpng-1.6.37 |
Update to libpng-1.6.37 at r21460. Leave this ticket open to wait for apng patch.
And I think it's OK to remove LIBS=-lpthread now. I'll build some packages depending on libpng to test.
follow-ups: 5 6 comment:4 by , 5 years ago
The apng patch is there now, but this version needs -p0 (again).
I have not tested it without specifying LIBS=-lpthread.
comment:5 by , 5 years ago
Replying to ken@…:
The apng patch is there now, but this version needs -p0 (again).
Trying.
I have not tested it without specifying LIBS=-lpthread.
Arch does not have LIBS=-lpthread now.
comment:6 by , 5 years ago
Replying to ken@…:
The apng patch is there now, but this version needs -p0 (again).
I can't find it...
--2019-04-17 09:58:14-- https://downloads.sourceforge.net/sourceforge/libpng-apng/libpng-1.6.37-apng.patch.gz Resolving downloads.sourceforge.net (downloads.sourceforge.net)... 216.105.38.13 Connecting to downloads.sourceforge.net (downloads.sourceforge.net)|216.105.38.13|:443... connected. HTTP request sent, awaiting response... 404 Not Found 2019-04-17 09:58:15 ERROR 404: Not Found.
comment:7 by , 5 years ago
There seem to be bad/outdated links again at SF. The first match from google only went up to 1.6.36. A later match (in firefox) took me via https://sourceforge.net/projects/apng/files/libpng/ - NOTE: apng not libpng-apng - to https://sourceforge.net/projects/apng/files/libpng/libpng16/ where libpng-1.6.37-apng.patch.gz is visible.
Please try wget https://downloads.sourceforge.net/sourceforge/apng/libpng-1.6.37-apng.patch.gz (works for me).
follow-up: 9 comment:8 by , 5 years ago
Hmm, both places have patches for 1.6.36. the apng site is again -p0 (I suspect we've maybe used it at times i nthe past). Applying both variants to 1.6.36 and diffing the result, the apng version calls itself 'libpng 1.6.36+apng' and has various differences in the code.
I've put the diff between the two versions of 1.6.36 at http://www.linuxfromscratch.org/~ken/test-patches/diff-1.6.36.patched - knowing little about the history, both seem to have things which are not in the other, but look as if they might be correct.
*NOT* patching libpng for apng means that mozilla packages will continue to use vulnerable code. I don't know where we go from here.
I eventually found a gentoo-related ebuild (I'm never sure if these are real gentoo) referencing 1.6.37 from the /apng/ variant at https://data.gpo.zugaina.org/gentoo/media-libs/libpng/libpng-1.6.37.ebuild
As to the LIBS=-lpthread, it was reinstated in late 2017. I'll try updating some systems (current, and older) without that - but there might be a delay (I've got a cold).
comment:9 by , 5 years ago
Replying to ken@…:
Hmm, both places have patches for 1.6.36. the apng site is again -p0 (I suspect we've maybe used it at times i nthe past). Applying both variants to 1.6.36 and diffing the result, the apng version calls itself 'libpng 1.6.36+apng' and has various differences in the code.
I've put the diff between the two versions of 1.6.36 at http://www.linuxfromscratch.org/~ken/test-patches/diff-1.6.36.patched - knowing little about the history, both seem to have things which are not in the other, but look as if they might be correct.
*NOT* patching libpng for apng means that mozilla packages will continue to use vulnerable code. I don't know where we go from here.
Now the book is patching libpng for apng with old apng patch (for 1.6.36). It can be applied but I'm not sure if there are some issues.
Arch libpng-1.6.37 (in testing) does the same thing.
I eventually found a gentoo-related ebuild (I'm never sure if these are real gentoo) referencing 1.6.37 from the /apng/ variant at https://data.gpo.zugaina.org/gentoo/media-libs/libpng/libpng-1.6.37.ebuild
As to the LIBS=-lpthread, it was reinstated in late 2017. I'll try updating some systems (current, and older) without that - but there might be a delay (I've got a cold).
I think it's not necessary more. libpng.so and libpng headers have no reference to pthread.
follow-up: 11 comment:10 by , 5 years ago
I agree that referencing -lpthread is no-longer needed (I wondered if something in the LFS toolchain 18 months ago perhaps caused it, but releases back as far as 8.1 don't need it).
For firefox-on-system-libpng I found some example apng files (these work in 1.6.37 with the apng .37 patch) :
https://commons.wikimedia.org/wiki/File:Animated_PNG_example_bouncing_beach_ball.png
Comparison of cartoon dancing elephant, gif and png (not identical) at https://apng.onevcat.com/demo/
Comparison of gif, qpng, webp, lossy webp (all versions of test 4 appear non-animated to me): http://littlesvr.ca/apng/gif_apng_webp.html
If those work with the libpng-apng .36 patch, all is good.
comment:11 by , 5 years ago
Replying to ken@…:
I agree that referencing -lpthread is no-longer needed (I wondered if something in the LFS toolchain 18 months ago perhaps caused it, but releases back as far as 8.1 don't need it).
For firefox-on-system-libpng I found some example apng files (these work in 1.6.37 with the apng .37 patch) :
https://commons.wikimedia.org/wiki/File:Animated_PNG_example_bouncing_beach_ball.png
Comparison of cartoon dancing elephant, gif and png (not identical) at https://apng.onevcat.com/demo/
Comparison of gif, qpng, webp, lossy webp (all versions of test 4 appear non-animated to me): http://littlesvr.ca/apng/gif_apng_webp.html
If those work with the libpng-apng .36 patch, all is good.
All of them work with .36 patch.
comment:12 by , 5 years ago
https://downloads.sourceforge.net/sourceforge/libpng-apng/libpng-1.6.36-apng.patch.gz
md5sum f02073fd96816b184c79b297775e37dc
Applies with -p1
Built without -lpthread. All tests pass (0.7 SBU).
comment:13 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
I'm going to close this as fixed. The apng patch is now in the book.
Version 1.6.37 [April 14, 2019] Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free. Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette. Fixed a memory leak in pngtest.c. Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in contrib/pngminus; refactor. Changed the license of contrib/pngminus to MIT; refresh makefile and docs. (Contributed by Willem van Schaik) Fixed a typo in the libpng license v2. (Contributed by Miguel Ojeda) Added makefiles for AddressSanitizer-enabled builds. Cleaned up various makefiles.