Debian Bug report logs -
#807112
libpng: Incomplete fix for CVE-2015-8126
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 5 Dec 2015 13:27:02 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in versions libpng/1.2.54-1, libpng/1.2.50-2+deb8u1, libpng/1.2.44-1+squeeze5, libpng/1.2.49-1+deb7u1, libpng/1.2.44-1
Fixed in versions libpng/1.2.50-2+deb8u2, libpng/1.2.49-1+deb7u2, libpng/1.2.44-1+squeeze6
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#807112; Package src:libpng.
(Sat, 05 Dec 2015 13:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>.
(Sat, 05 Dec 2015 13:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpng
Version: 1.2.54-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for libpng. I turned out
that the fix for CVE-2015-8126 was not complete, cf. [0]. New versions
s fixing CVE-2015-8472 were released as 1.6.20, 1.5.25, 1.4.18,
1.2.55, and 1.0.65.
CVE-2015-8472[1]:
Incomplete fix for CVE-2015-8126
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://marc.info/?l=oss-security&m=144929077710907&w=2
[1] https://security-tracker.debian.org/tracker/CVE-2015-8472
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libpng/1.2.49-1+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Dec 2015 22:15:09 GMT) (full text, mbox, link).
Marked as found in versions libpng/1.2.50-2+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Dec 2015 22:15:10 GMT) (full text, mbox, link).
Marked as found in versions libpng/1.2.44-1+squeeze5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Dec 2015 22:15:11 GMT) (full text, mbox, link).
Marked as fixed in versions libpng/1.2.44-1+squeeze6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Dec 2015 22:15:12 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 13 Jan 2016 21:36:07 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 15 Jan 2016 10:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 15 Jan 2016 10:21:14 GMT) (full text, mbox, link).
Message #20 received at 807112-close@bugs.debian.org (full text, mbox, reply):
Source: libpng
Source-Version: 1.2.50-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 807112@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Jan 2016 20:05:55 +0100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source
Version: 1.2.50-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 807112 807694
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Changes:
libpng (1.2.50-2+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add patches to address CVE-2015-8472.
CVE-2015-8472: Incomplete fix for callers on png_set_PLTE. (Closes: #807112)
* Add CVE-2015-8540.patch patch.
CVE-2015-8540: underflow read in png_check_keyword(). (Closes: #807694)
Checksums-Sha1:
9eb6758421f388efc66f8cc3f5b3faf2ec6936de 2036 libpng_1.2.50-2+deb8u2.dsc
a272ff50e3a069b13c5bd1dc8ed17c65dfba7868 21496 libpng_1.2.50-2+deb8u2.debian.tar.xz
Checksums-Sha256:
ba814b51b9faaac1c0d1c3637013dd37facf87ea9e47348be423747f20f1fb9d 2036 libpng_1.2.50-2+deb8u2.dsc
04b9bda0c27bc2d5628f8419e4674500b74d5cfc75219c5952c5c5b2de2f8106 21496 libpng_1.2.50-2+deb8u2.debian.tar.xz
Files:
11b559c29411e458d94d6d75bcab29cc 2036 libs optional libpng_1.2.50-2+deb8u2.dsc
29f4114a09887deb5faf0c52d22fcf05 21496 libs optional libpng_1.2.50-2+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWjr9OAAoJEAVMuPMTQ89EiTUP/1G3xotqRbw9LPV2f63sZxtk
O9QwLQ3V3RWerf7EyStLnp9vAtHxiO6nMaau9nhFCICbv7s83qsikBzGVVSccJ9t
IL+zV8nn/PYxaF9ShGY6z45MyUVSw+uEvDOjdvPrS+R4kNAMsqrK515XTI801w+l
X/Cwbc/NR2QP6MQ5KXlLl7WGl8tRyZgCHCIOikwOi6EzcO4j4uy/TLaKamVjOsS9
FlYiwhq5EVH60h+XrcctWqSy3kNj7QiTdL0pX+xErAmpsNeNcYpz9h4muNZvKZeP
GFotAzftqURqoTSuxIuKqg6zADbeaGC1U5f0K73LdCcYWBhXwyalsSdcdh4QftL9
ENjoWbthg+yLWeJCEgkaBzeEOzwtEuYWum8nBPyr1zCQstizh7WdOb6QkwPTO16A
ULPOmYj2WQiyxZdA1el8aYpV9X7gTx51lTlL93NDLDNPQUSATJcYMDWX/NpFk3uK
tiKh6iSyBO9I3mh4tDsKdskzYCK134HpUkHX94JKZOqTomPi47YQ70aUuaP/vaHT
WyYEtQE5EhE07xYT2eJlh/IiQ6d3oeAunTGGnSsEbmQ2bej9cyWIiTmG//wSD6sO
crmj+1dwCPqYmeAX4WeThsrivgOPYKZOgEiUAlV2di569rr7DWg7SDQEuPjBr1dx
+0lkvIrceLrAKhpFvUWf
=ML86
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 15 Jan 2016 10:21:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 15 Jan 2016 10:21:18 GMT) (full text, mbox, link).
Message #25 received at 807112-close@bugs.debian.org (full text, mbox, reply):
Source: libpng
Source-Version: 1.2.49-1+deb7u2
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 807112@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Jan 2016 20:07:15 +0100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source amd64
Version: 1.2.49-1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Closes: 807112 807694
Changes:
libpng (1.2.49-1+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add patches to address CVE-2015-8472.
CVE-2015-8472: Incomplete fix for callers on png_set_PLTE. (Closes: #807112)
* Add CVE-2015-8540.patch patch.
CVE-2015-8540: underflow read in png_check_keyword(). (Closes: #807694)
Checksums-Sha1:
4e9810cb55eabab54614004e37da1a320670ddb0 1987 libpng_1.2.49-1+deb7u2.dsc
7afa432b0f15dc820aa41f53050adaa2a69ccfa5 19640 libpng_1.2.49-1+deb7u2.debian.tar.bz2
e6d6b5dae34a2be8d3237d828e07c331aa738fba 190704 libpng12-0_1.2.49-1+deb7u2_amd64.deb
8fbd2103d193915cc663e6b37ac533a63229925d 267422 libpng12-dev_1.2.49-1+deb7u2_amd64.deb
8ebdc9aa738decc300bc19436ce954952fe314a0 954 libpng3_1.2.49-1+deb7u2_amd64.deb
c486a3e497c3250284d8c2b8f1502416e1e9f76d 64032 libpng12-0-udeb_1.2.49-1+deb7u2_amd64.udeb
Checksums-Sha256:
9386a11848d1913d4e091e29d069693ba0a232b85d2fb32112d3b0c000a09f5d 1987 libpng_1.2.49-1+deb7u2.dsc
76b2cf0247a62cb41eabc1a5ba4b6599ad73c56654700040bf23e7c6d8c627a7 19640 libpng_1.2.49-1+deb7u2.debian.tar.bz2
a2095d2fa94c890a507d7f3824f7d499b93722cf636fcd037db3ae59c46c8b5d 190704 libpng12-0_1.2.49-1+deb7u2_amd64.deb
599991eae3a8bf8623222ca0775a6c114c5a404254f4ebf5e91b3891fb0be848 267422 libpng12-dev_1.2.49-1+deb7u2_amd64.deb
6b7c0f865fea2de4d9ad862add64d77bc28a7f4f73ddcb68f4c3b011a13768de 954 libpng3_1.2.49-1+deb7u2_amd64.deb
6b0f0410a328c04a7b65a4294f7192fb71e20b4895bbed93c60951b574df6a7e 64032 libpng12-0-udeb_1.2.49-1+deb7u2_amd64.udeb
Files:
78fe01e240f292cf992c134fb3c6de62 1987 libs optional libpng_1.2.49-1+deb7u2.dsc
94fae174e9a922613ec9818faa60f526 19640 libs optional libpng_1.2.49-1+deb7u2.debian.tar.bz2
326043809e1278bc4f57dd65a6465bbc 190704 libs optional libpng12-0_1.2.49-1+deb7u2_amd64.deb
ab27dcc1957c6088d6d0b4821f27e120 267422 libdevel optional libpng12-dev_1.2.49-1+deb7u2_amd64.deb
39cd19b67fdc0eb762c98c03d75ccb26 954 oldlibs optional libpng3_1.2.49-1+deb7u2_amd64.deb
1687a6aa04cbc51d836e2496dc54240b 64032 debian-installer extra libpng12-0-udeb_1.2.49-1+deb7u2_amd64.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWjr5rAAoJEAVMuPMTQ89EugYP/R5pP/bzRB2BDGcnLI4lM8p5
mYixFrtwsKedeqtyh5f6VogpZuDPQB97qCDz1hu4YQJulGZEOi3090aeE4aTODJI
LeqalqxOtA4kspWGuyDGb8w0B9qIiozcsG2YEnY3v89mDCcJ7JuCB8ZTNyyHxEcZ
YCj1oR3PxPe/A9WPHIEs6m05TwLQ11W2Ns8MZCBvkTxXLD+mz2wjmlFUdP7GPOQm
UGqG1/kmMApeBfFmu030Nxw/4HO2GC63fbCawg1y2KlmkMdndCCkY1Z+w85yBl1w
2U9JGtRlHQTao9PlfIIx6WvUdlg2mSoj8dxBIg7rWDkI6Uukz3ZBGLSpX09o2JM2
iJzf8iqksWuRmBSi2GmKONN3BJGK6Slx/PurdSB9WjN5keUKa4g5tmhkk1VGAtWg
pLu7f+wFp1wbA+vnd0dBa1JOsCmpwRwizRSBgjg/0S3NFa5oUnB7LEy8PuqyewxD
FlyUULOP8kRcEQaAudDfLfZiP+K07P3Hg4ihM0dqvWLsMLSfnbL0pD8R6WEDPlfG
Wp1nbAXpBcyOm2isZwixeayjmHwP3RyuOkZKI/tFEf776xjGBQD0aL61wKiEXSmG
GJzGdQ6ciBtkDU/FOU8uZ5r/Ouu/1fpKFYcLwHlBSZ+3WU1izXbMg2OhwOiSUryf
rcyd/77PzH3NQDY7gdhC
=fdYD
-----END PGP SIGNATURE-----
Marked as found in versions libpng/1.2.44-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 28 Feb 2016 19:30:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 23 Jun 2016 07:25:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:46:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon