Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

vulnerable package in official portage tree
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gulbuhar
n00b
n00b


Joined: 12 Apr 2015
Posts: 9
PostPosted: Fri May 08, 2015 3:40 pm    Post subject: vulnerable package in official portage tree Reply with quote
Hi,

results of "glsa-check -lv" gives me the following

Code:
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201010-01 [N] [remote  ] Libpng: Multiple vulnerabilities ( media-libs/libpng-1.2.52 media-libs/libpng-1.6.16 )
201206-15 [N] [remote  ] libpng: Multiple vulnerabilities ( media-libs/libpng-1.2.52 media-libs/libpng-1.6.16 )


"emerge -pcv "media-libs/libpng*" shows both packages are required by other official packages! does this mean there is security problem/hole in the official portage tree?


Code:
Calculating dependencies... done!
  media-libs/libpng-1.2.52 pulled in by:
    net-misc/dropbox-2.10.2 requires media-libs/libpng:1.2

  media-libs/libpng-1.6.16 pulled in by:
    app-editors/xemacs-21.4.22-r4 requires >=media-libs/libpng-1.2:0
    app-emulation/virtualbox-4.3.18 requires media-libs/libpng:0=
    app-emulation/wine-1.6.2 requires >=media-libs/libpng-1.6.10:0[abi_x86_32(-)], media-libs/libpng:0/16=, media-libs/libpng:0=
    app-office/libreoffice-bin-4.4.1.2 requires >=media-libs/libpng-1.4:0/16=, >=media-libs/libpng-1.4:0=, media-libs/libpng:0/16
    app-text/ghostscript-gpl-9.10-r2 requires >=media-libs/libpng-1.6.2:0=, >=media-libs/libpng-1.6.2:0/16=
    app-text/poppler-0.32.0 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    dev-java/icedtea-bin-7.2.5.3 requires >=media-libs/libpng-1.6:0/16=, >=media-libs/libpng-1.6:0=
    dev-qt/qtgui-4.8.5-r4 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-gfx/gimp-2.8.10-r1 requires >=media-libs/libpng-1.2.37:0
    media-gfx/imagemagick-6.9.0.3 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    media-gfx/inkscape-0.48.5-r1 requires media-libs/libpng:0
    media-libs/freetype-2.5.5 requires >=media-libs/libpng-1.2.51:0/16=[abi_x86_32(-),abi_x86_64(-)], >=media-libs/libpng-1.2.51:=[abi_x86_32(-),abi_x86_64(-)]
    media-libs/gd-2.0.35-r4 requires >=media-libs/libpng-1.6.10:0[abi_x86_64(-)]
    media-libs/gegl-0.2.0-r2 requires media-libs/libpng
    media-libs/imlib2-1.4.6-r2 requires >=media-libs/libpng-1.6.10:0[abi_x86_64(-)]
    media-libs/jbig2dec-0.11-r1 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-libs/libwebp-0.4.0 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    media-libs/netpbm-10.66.00 requires >=media-libs/libpng-1.4:0
    media-libs/openjpeg-2.0.0 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-sound/sox-14.4.1 requires media-libs/libpng
    media-video/ffmpegthumbnailer-2.0.8 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-video/guvcview-2.0.1 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    media-video/mplayer-1.2_pre20130729 requires media-libs/libpng
    media-video/vlc-2.1.5-r1 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    net-print/cups-filters-1.0.66 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    sys-libs/slang-2.2.4-r1 requires >=media-libs/libpng-1.6.10:0[abi_x86_64(-)]
    www-client/chromium-42.0.2311.90 requires media-libs/libpng:0/16=
    x11-libs/cairo-1.12.18-r1 requires >=media-libs/libpng-1.6.10:0/16=[abi_x86_64(-)], >=media-libs/libpng-1.6.10:0=[abi_x86_64(-)]
    x11-libs/gdk-pixbuf-2.30.8 requires >=media-libs/libpng-1.4:0=[abi_x86_64(-)], >=media-libs/libpng-1.4:0/16=[abi_x86_64(-)]
    x11-libs/motif-2.3.4-r3 requires >=media-libs/libpng-1.6.10:0/16=[abi_x86_64(-)], >=media-libs/libpng-1.6.10:0=[abi_x86_64(-)]
    x11-libs/wxGTK-2.8.12.1-r1 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    x11-misc/slim-1.3.6-r3 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    xfce-extra/tumbler-0.1.30 requires media-libs/libpng:0=, media-libs/libpng:0/16=

>>> No packages selected for removal by depclean
Packages installed:   1119
Packages in world:    173
Packages in system:   44
Required packages:    1119
Number to remove:     0
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9677
Location: almost Mile High in the USA
PostPosted: Fri May 08, 2015 5:44 pm    Post subject: Reply with quote
1.2.52 is probably affected due to age, but 1.6.16 I think is OK, unless my machine is compromised somehow. No GLSAs on libpng-1.6.16 (but yes on other packages that I'm ignoring for now.)

It looks like dropbox is the only package that is using the old version on your box. I don't use dropbox so I've no idea...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
gulbuhar
n00b
n00b


Joined: 12 Apr 2015
Posts: 9
PostPosted: Fri May 08, 2015 9:32 pm    Post subject: Reply with quote
I have rebuilt dropbox without X and everything is now seems fine , but why should gentoo keep known vulnerable packages in official portage tree?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3131
PostPosted: Fri May 08, 2015 10:21 pm    Post subject: Reply with quote
Vulnerable packages tend to get hard masked (and removed later just like any old versions)
Masked packages will not be installed unless you unmask them, however packages already installed will only be removed if there is another way to satisfy dependencies
Back to top
View user's profile Send private message
gulbuhar
n00b
n00b


Joined: 12 Apr 2015
Posts: 9
PostPosted: Fri May 08, 2015 11:46 pm    Post subject: Reply with quote
libpng-1.2.52 is not a masked because portage says its a stable version but glsa-check says its vulnerable because it is not mentioned as an "unaffected version"
I think libpng-1.2.52 should get removed from the tree, I just manually masked it for now.
===========
P.S. = seems libpng-1.2.52 is not an affected version too, I cant understand, if its mentioned as unaffected why glsa-check says "indicates that the system might be affected"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy