Hi,
I was analyzing pngcheck this morning and I'm unsure how to proceed so
any advice would be appreciated :)
pngcheck has one CVE open [1], however it seems that there are multiple
vulnerabilities, as upstream changelog [2] and homepage [3] mentions them.
Unfortuntatly upstream did major refactoring between 2.4 and 3.0.x, and as there
is no upstream git repo it is very hard to isolate which bits are indeed the
vulenarbility fixes and which are "just" bug fixes.
Suse e.g did "just" use the new upstream version [5] as resolution, however
there is the caveat that 3.0.x dropped the "force" option, which would make
pngcheck to try hard continuing even on very corrupt input files. Upstream's
Changelog entry [4] explains that by "multiple security issues".
I'd propose also to package 3.0.3 for LTS, but instead of removing the force
option making it a "NOP", so that the command line options are still compatible
for e.g. existing scripts.
3.0.x has only very few new features (more png checks) than 2.3.x.
--
Cheers,
tobi
[1] CVE-2020-35511
https://security-tracker.debian.org/tracker/CVE-2020-35511
"A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file."
[2] http://www.libpng.org/pub/png/src/pngcheck-3.0.3.CHANGELOG
[3] http://www.libpng.org/pub/png/apps/pngcheck.html
[4] 20201212 GRR: removed -f ("force") option due to multiple security issues
Attachment:
signature.asc
Description: PGP signature