Hi, I was analyzing pngcheck this morning and I'm unsure how to proceed so any advice would be appreciated :)
pngcheck has one CVE open [1], however it seems that there are multiple vulnerabilities, as upstream changelog [2] and homepage [3] mentions them. Unfortuntatly upstream did major refactoring between 2.4 and 3.0.x, and as there is no upstream git repo it is very hard to isolate which bits are indeed the vulenarbility fixes and which are "just" bug fixes. Suse e.g did "just" use the new upstream version [5] as resolution, however there is the caveat that 3.0.x dropped the "force" option, which would make pngcheck to try hard continuing even on very corrupt input files. Upstream's Changelog entry [4] explains that by "multiple security issues". I'd propose also to package 3.0.3 for LTS, but instead of removing the force option making it a "NOP", so that the command line options are still compatible for e.g. existing scripts. 3.0.x has only very few new features (more png checks) than 2.3.x. -- Cheers, tobi [1] CVE-2020-35511 https://security-tracker.debian.org/tracker/CVE-2020-35511 "A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file." [2] http://www.libpng.org/pub/png/src/pngcheck-3.0.3.CHANGELOG [3] http://www.libpng.org/pub/png/apps/pngcheck.html [4] 20201212 GRR: removed -f ("force") option due to multiple security issues
signature.asc
Description: PGP signature