Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On Sat, Feb 18, 2012 at 10:42:34PM -0800, jbow...@acm.org wrote: There are a lot of negatives in the following sentence, bear with me, or believe me and take note of the final sentence before my signature in this message. Glenn has pointed out to me that even though libpng 1.2.46 never assigns the 'default' to the limit variable in png_struct (which, in fact, does not exist in 1.2) the code in pngread.c never actually checks that non-existent variable because the checking code is protected by another random sequence of characters; from libpng-1.2.46::pngrutil.c: #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED if (png_ptr-user_chunk_malloc_max (prefix_size + expanded_size = png_ptr-user_chunk_malloc_max - 1)) #else # ifdef PNG_USER_CHUNK_MALLOC_MAX if ((PNG_USER_CHUNK_MALLOC_MAX 0) prefix_size + expanded_size = PNG_USER_CHUNK_MALLOC_MAX - 1) # endif #endif I.e. PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED is another variant on the always-undefined macro from pngread.c PNG_SET_USER_CHUNK_MALLOC_MAX; so far as I can see short of an explicit -D in CFLAGS there is no way to get these macros defined in a build of libpng 1.2 So... in fact libpng-1.2 as it currently stands has no way of preventing attacks based on the relatively simple approach revealed by Google of sending a PNG with an unnaturally large iCCP. I simply suggest that no one uses libpng 1.2; it's not safe. John Bowler jbow...@acm.org The message above is part of a discussion in the libpng development mailing list about the *lack* of security of libpng 1.2, after the last vulnerability was discovered by the chrome folks. For more details see http://sourceforge.net/mailarchive/message.php?msg_id=28856022 So, the message is to move away from libpng 1.2 in Debian as soon as we can. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On 22.03.2012 11:00, AnÃbal Monsalve Salazar wrote: The message above is part of a discussion in the libpng development mailing list about the *lack* of security of libpng 1.2, after the last vulnerability was discovered by the chrome folks. For more details see http://sourceforge.net/mailarchive/message.php?msg_id=28856022 So, the message is to move away from libpng 1.2 in Debian as soon as we can. In that case, maybe someone could address some of the issues we raised when the transition was first proposed? e.g. the requirement for changing the development page name and thus needing otherwise unneccessary source uploads of a bunch of packages, the huge number of known FTBFS issues. We don't just not start transitions for our own amusement, and the implication that the transition is primarily being blocked from our side is not really appreciated. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On Thu, Mar 22, 2012 at 11:21:36AM +, Adam D. Barratt wrote: We don't just not start transitions for our own amusement, and the implication that the transition is primarily being blocked from our side is not really appreciated. I would like to apologise. It wasn't my intention to imply that. We know the realease team does a great job. I just wanted to let you know that the upstream developers don't want distros to use libpng 1.2 for its lack of security. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On 22.03.2012 11:44, AnÃbal Monsalve Salazar wrote: On Thu, Mar 22, 2012 at 11:21:36AM +, Adam D. Barratt wrote: We don't just not start transitions for our own amusement, and the implication that the transition is primarily being blocked from our side is not really appreciated. I would like to apologise. It wasn't my intention to imply that. We know the realease team does a great job. I just wanted to let you know that the upstream developers don't want distros to use libpng 1.2 for its lack of security. Thanks, that's appreciated. I could probably have worded my message a little better; apologies for that. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On 22.03.2012 11:21, Adam D. Barratt wrote: On 22.03.2012 11:00, AnÃÂbal Monsalve Salazar wrote: So, the message is to move away from libpng 1.2 in Debian as soon as we can. In that case, maybe someone could address some of the issues we raised when the transition was first proposed? e.g. the requirement for changing the development page name and thus needing otherwise unneccessary source uploads of a bunch of packages As a concrete example, running dak rm -b libpng12-dev on ftp-master a short while ago suggests that there are currently over two hundred source packages in unstable with a build-dependency either on libpng12{,-0}-dev with no alternative or with the 1.2 package as the first in an alternative list. If the libpng 1.5 packages from experimental were to transition to unstable right now, we'd be unable to binNMU any of those packages; they would all require source uploads to change the build-dependency. It may be that some of these can be explained by multiple source versions where the newer source has migrated to use libpng-dev, but I suspect those are a minority. fwiw, there are also still six packages in unstable with libpng3-dev as the only png-related build dependency. It may be that those packages have other issues, fo course. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On Thu, Mar 22, 2012 at 11:58:21AM +, Adam D. Barratt wrote: On 22.03.2012 11:21, Adam D. Barratt wrote: On 22.03.2012 11:00, AnÃbal Monsalve Salazar wrote: So, the message is to move away from libpng 1.2 in Debian as soon as we can. In that case, maybe someone could address some of the issues we raised when the transition was first proposed? e.g. the requirement or changing the development page name and thus needing otherwise unneccessary source uploads of a bunch of packages As a concrete example, running dak rm -b libpng12-dev on ftp-master a short while ago suggests that there are currently over two hundred source packages in unstable with a build-dependency either on libpng12{,-0}-dev with no alternative or with the 1.2 package as the first in an alternative list. If the libpng 1.5 packages from experimental were to transition to unstable right now, we'd be unable to binNMU any of those packages; they would all require source uploads to change the build-dependency. It may be that some of these can be explained by multiple source versions where the newer source has migrated to use libpng-dev, but I suspect those are a minority. fwiw, there are also still six packages in unstable with libpng3-dev as the only png-related build dependency. It may be that those packages have other issues, fo course. libpng3-dev is an empty package that hasn't been removed yet, but can be kept if you wish so. It was requiered for a previous transition. We could make empty packages libpng12{,-0}-dev depending on libpng15-15 and libpng-dev respectively. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On Thu, Mar 22, 2012 at 23:19:08 +1100, Aníbal Monsalve Salazar wrote: libpng3-dev is an empty package that hasn't been removed yet, but can be kept if you wish so. It was requiered for a previous transition. We could make empty packages libpng12{,-0}-dev depending on libpng15-15 and libpng-dev respectively. I hope this is a joke. Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On Thu, Mar 22, 2012 at 11:19:08PM +1100, AnÃbal Monsalve Salazar wrote: On Thu, Mar 22, 2012 at 11:58:21AM +, Adam D. Barratt wrote: On 22.03.2012 11:21, Adam D. Barratt wrote: On 22.03.2012 11:00, AnÃbal Monsalve Salazar wrote: So, the message is to move away from libpng 1.2 in Debian as soon as we can. In that case, maybe someone could address some of the issues we raised when the transition was first proposed? e.g. the requirement or changing the development page name and thus needing otherwise unneccessary source uploads of a bunch of packages As a concrete example, running dak rm -b libpng12-dev on ftp-master a short while ago suggests that there are currently over two hundred source packages in unstable with a build-dependency either on libpng12{,-0}-dev with no alternative or with the 1.2 package as the first in an alternative list. If the libpng 1.5 packages from experimental were to transition to unstable right now, we'd be unable to binNMU any of those packages; they would all require source uploads to change the build-dependency. It may be that some of these can be explained by multiple source versions where the newer source has migrated to use libpng-dev, but I suspect those are a minority. fwiw, there are also still six packages in unstable with libpng3-dev as the only png-related build dependency. It may be that those packages have other issues, fo course. libpng3-dev is an empty package that hasn't been removed yet, but can be kept if you wish so. It was requiered for a previous transition. We could make empty packages libpng12{,-0}-dev depending on libpng15-15 and libpng-dev respectively. libpng3-dev doesn't exist in Debian. libpng3 depends on libpng12-0 (= 1.2.5.0-2) currently. It's empty in the sense that it only has symbolic links to the shared library in libpng12-0. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
On Thu, Mar 22, 2012 at 01:21:14PM +0100, Julien Cristau wrote: I hope this is a joke. Emtpy in the sense that they are not the real thing. They will have a bunch of symbolic links in them to files/directories in other packages. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org