On 2015-11-14 12:54 -0800, Josh Triplett wrote: > Package: libpng12-0 > Version: 1.2.50-2+b2 > Severity: critical > Tags: security upstream > > Quoting https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126 >> Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE >> functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and >> 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow >> remote >> attackers to cause a denial of service (application crash) or possibly have >> unspecified other impact via a small bit-depth value in an IHDR (aka image >> header) chunk in a PNG image. > > In particular, "1.1.x and 1.2.x before 1.2.54".
On 2015-10-26 19:03 +0100, Salvatore Bonaccorso wrote: > Source: libpng > Version: 1.2.44-1 > Severity: important > Tags: security upstream patch fixed-upstream > Forwarded: http://sourceforge.net/p/libpng/bugs/241/ > > Hi, > > the following vulnerability was published for libpng. > > CVE-2015-7981[0]: > out-of-bound read vulnerability > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I have made a local package with libpng 1.2.54 for myself, if anybody is interested a filtered debdiff containing only the changes in the debian directory is attached. The debian/watch file does not work, I have downloaded libpng-1.2.54.tar.xz from ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng12/ where there is also a detached signature. Cheers, Sven
diff -Nru libpng-1.2.50/debian/changelog libpng-1.2.54/debian/changelog --- libpng-1.2.50/debian/changelog 2014-07-26 04:27:22.000000000 +0200 +++ libpng-1.2.54/debian/changelog 2015-11-16 17:56:27.000000000 +0100 @@ -1,3 +1,13 @@ +libpng (1.2.54-0local1) UNRELEASED; urgency=high + + * New upstream release. + - Fix multiple buffer overflows [CVE-2015-8126] (Closes: #805113). + - Fix out of bound read [CVE-2015-7981] (Closes: #803078). + * Drop patch 02-required-space.patch, applied upstream. + * Update remaining patches. + + -- Sven Joachim <svenj...@gmx.de> Mon, 16 Nov 2015 17:56:26 +0100 + libpng (1.2.50-2) unstable; urgency=medium * Merge 1.2.50-1ubuntu3. diff -Nru libpng-1.2.50/debian/docs libpng-1.2.54/debian/docs --- libpng-1.2.50/debian/docs 2014-01-27 04:04:53.000000000 +0100 +++ libpng-1.2.54/debian/docs 2015-11-16 14:45:07.000000000 +0100 @@ -1,3 +1,3 @@ -libpng-1.2.50.txt +libpng-1.2.54.txt README TODO diff -Nru libpng-1.2.50/debian/libpng12-0.doc-base libpng-1.2.54/debian/libpng12-0.doc-base --- libpng-1.2.50/debian/libpng12-0.doc-base 2014-01-27 04:05:25.000000000 +0100 +++ libpng-1.2.54/debian/libpng12-0.doc-base 2015-11-16 14:45:05.000000000 +0100 @@ -22,4 +22,4 @@ Section: Programming Format: text -Files: /usr/share/doc/libpng12-0/libpng-1.2.50.txt.gz +Files: /usr/share/doc/libpng12-0/libpng-1.2.54.txt.gz diff -Nru libpng-1.2.50/debian/libpng12-0.docs libpng-1.2.54/debian/libpng12-0.docs --- libpng-1.2.50/debian/libpng12-0.docs 2014-01-27 04:05:06.000000000 +0100 +++ libpng-1.2.54/debian/libpng12-0.docs 2015-11-16 14:44:43.000000000 +0100 @@ -2,4 +2,4 @@ TODO ANNOUNCE KNOWNBUG -libpng-1.2.50.txt +libpng-1.2.54.txt diff -Nru libpng-1.2.50/debian/patches/01-legacy.patch libpng-1.2.54/debian/patches/01-legacy.patch --- libpng-1.2.50/debian/patches/01-legacy.patch 2014-07-26 04:14:18.000000000 +0200 +++ libpng-1.2.54/debian/patches/01-legacy.patch 2015-11-16 14:26:57.000000000 +0100 @@ -1,23 +1,7 @@ -Index: libpng-1.2.50/libpng-1.2.50.txt +Index: libpng-1.2.54/png.h =================================================================== ---- libpng-1.2.50.orig/libpng-1.2.50.txt -+++ libpng-1.2.50/libpng-1.2.50.txt -@@ -1049,8 +1049,9 @@ the normalized graylevel is computed: - gray = (rw*red + gw*green + bw*blue)/65536; - - The default values approximate those recommended in the Charles --Poynton's Color FAQ, <http://www.inforamp.net/~poynton/> --Copyright (c) 1998-01-04 Charles Poynton <poynton at inforamp.net> -+Poynton's Color FAQ, -+<http://www.poynton.com/notes/colour_and_gamma/ColorFAQ.html> -+Copyright (c) 2006-11-28 Charles Poynton <poynton at poynton.com> - - Y = 0.212671 * R + 0.715160 * G + 0.072169 * B - -Index: libpng-1.2.50/png.h -=================================================================== ---- libpng-1.2.50.orig/png.h -+++ libpng-1.2.50/png.h +--- libpng-1.2.54.orig/png.h ++++ libpng-1.2.54/png.h @@ -1902,15 +1902,17 @@ extern PNG_EXPORT(void,png_destroy_read_ png_ptr_ptr, png_infopp info_ptr_ptr, png_infopp end_info_ptr_ptr)); @@ -39,10 +23,10 @@ /* Set the libpng method of handling chunk CRC errors */ extern PNG_EXPORT(void,png_set_crc_action) PNGARG((png_structp png_ptr, -Index: libpng-1.2.50/png.5 +Index: libpng-1.2.54/png.5 =================================================================== ---- libpng-1.2.50.orig/png.5 -+++ libpng-1.2.50/png.5 +--- libpng-1.2.54.orig/png.5 ++++ libpng-1.2.54/png.5 @@ -18,7 +18,11 @@ gamma and chromaticity data for improved platforms. diff -Nru libpng-1.2.50/debian/patches/02-required-space.patch libpng-1.2.54/debian/patches/02-required-space.patch --- libpng-1.2.50/debian/patches/02-required-space.patch 2014-07-26 04:14:30.000000000 +0200 +++ libpng-1.2.54/debian/patches/02-required-space.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,37 +0,0 @@ -Description: Add a space between literal and identifier for C++11 - This seems to be fixed in upstream version 1.2.51. -Forwarded: not-needed -Bug-Ubuntu: http://launchpad.net/bugs/1298779 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676157 - -Index: libpng-1.2.50/png.h -=================================================================== ---- libpng-1.2.50.orig/png.h -+++ libpng-1.2.50/png.h -@@ -2658,7 +2658,7 @@ extern PNG_EXPORT(void, png_write_png) P - # define png_debug(l,m) \ - { \ - int num_tabs=l; \ -- fprintf(PNG_DEBUG_FILE,"%s"m PNG_STRING_NEWLINE,(num_tabs==1 ? "\t" : \ -+ fprintf(PNG_DEBUG_FILE,"%s" m PNG_STRING_NEWLINE,(num_tabs==1 ? "\t" : \ - (num_tabs==2 ? "\t\t":(num_tabs>2 ? "\t\t\t":"")))); \ - } - # endif -@@ -2666,7 +2666,7 @@ extern PNG_EXPORT(void, png_write_png) P - # define png_debug1(l,m,p1) \ - { \ - int num_tabs=l; \ -- fprintf(PNG_DEBUG_FILE,"%s"m PNG_STRING_NEWLINE,(num_tabs==1 ? "\t" : \ -+ fprintf(PNG_DEBUG_FILE,"%s" m PNG_STRING_NEWLINE,(num_tabs==1 ? "\t" : \ - (num_tabs==2 ? "\t\t":(num_tabs>2 ? "\t\t\t":""))),p1); \ - } - # endif -@@ -2674,7 +2674,7 @@ extern PNG_EXPORT(void, png_write_png) P - # define png_debug2(l,m,p1,p2) \ - { \ - int num_tabs=l; \ -- fprintf(PNG_DEBUG_FILE,"%s"m PNG_STRING_NEWLINE,(num_tabs==1 ? "\t" : \ -+ fprintf(PNG_DEBUG_FILE,"%s" m PNG_STRING_NEWLINE,(num_tabs==1 ? "\t" : \ - (num_tabs==2 ? "\t\t":(num_tabs>2 ? "\t\t\t":""))),p1,p2); \ - } - # endif diff -Nru libpng-1.2.50/debian/patches/libpng-config.diff libpng-1.2.54/debian/patches/libpng-config.diff --- libpng-1.2.50/debian/patches/libpng-config.diff 2014-07-26 04:14:41.000000000 +0200 +++ libpng-1.2.54/debian/patches/libpng-config.diff 2015-11-16 14:29:47.000000000 +0100 @@ -1,7 +1,7 @@ -Index: libpng-1.2.50/scripts/libpng-config-body.in +Index: libpng-1.2.54/scripts/libpng-config-body.in =================================================================== ---- libpng-1.2.50.orig/scripts/libpng-config-body.in -+++ libpng-1.2.50/scripts/libpng-config-body.in +--- libpng-1.2.54.orig/scripts/libpng-config-body.in ++++ libpng-1.2.54/scripts/libpng-config-body.in @@ -7,7 +7,7 @@ Usage: libpng-config [OPTION] ... Known values for OPTION are: @@ -20,10 +20,10 @@ echo ${libdir} ;; -Index: libpng-1.2.50/scripts/libpng-config.in +Index: libpng-1.2.54/scripts/libpng-config.in =================================================================== ---- libpng-1.2.50.orig/scripts/libpng-config.in -+++ libpng-1.2.50/scripts/libpng-config.in +--- libpng-1.2.54.orig/scripts/libpng-config.in ++++ libpng-1.2.54/scripts/libpng-config.in @@ -14,12 +14,13 @@ version="@PNGLIB_VERSION@" prefix="@prefix@" diff -Nru libpng-1.2.50/debian/patches/series libpng-1.2.54/debian/patches/series --- libpng-1.2.50/debian/patches/series 2014-07-26 04:02:17.000000000 +0200 +++ libpng-1.2.54/debian/patches/series 2015-11-16 14:29:24.000000000 +0100 @@ -1,3 +1,2 @@ 01-legacy.patch -02-required-space.patch libpng-config.diff
signature.asc
Description: PGP signature
