Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
vulnerable package in official portage tree
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gulbuhar
n00b
n00b


Joined: 12 Apr 2015
Posts: 9

PostPosted: Fri May 08, 2015 3:40 pm    Post subject: vulnerable package in official portage tree Reply with quote

Hi,

results of "glsa-check -lv" gives me the following

Code:
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201010-01 [N] [remote  ] Libpng: Multiple vulnerabilities ( media-libs/libpng-1.2.52 media-libs/libpng-1.6.16 )
201206-15 [N] [remote  ] libpng: Multiple vulnerabilities ( media-libs/libpng-1.2.52 media-libs/libpng-1.6.16 )


"emerge -pcv "media-libs/libpng*" shows both packages are required by other official packages! does this mean there is security problem/hole in the official portage tree?


Code:
Calculating dependencies... done!
  media-libs/libpng-1.2.52 pulled in by:
    net-misc/dropbox-2.10.2 requires media-libs/libpng:1.2

  media-libs/libpng-1.6.16 pulled in by:
    app-editors/xemacs-21.4.22-r4 requires >=media-libs/libpng-1.2:0
    app-emulation/virtualbox-4.3.18 requires media-libs/libpng:0=
    app-emulation/wine-1.6.2 requires >=media-libs/libpng-1.6.10:0[abi_x86_32(-)], media-libs/libpng:0/16=, media-libs/libpng:0=
    app-office/libreoffice-bin-4.4.1.2 requires >=media-libs/libpng-1.4:0/16=, >=media-libs/libpng-1.4:0=, media-libs/libpng:0/16
    app-text/ghostscript-gpl-9.10-r2 requires >=media-libs/libpng-1.6.2:0=, >=media-libs/libpng-1.6.2:0/16=
    app-text/poppler-0.32.0 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    dev-java/icedtea-bin-7.2.5.3 requires >=media-libs/libpng-1.6:0/16=, >=media-libs/libpng-1.6:0=
    dev-qt/qtgui-4.8.5-r4 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-gfx/gimp-2.8.10-r1 requires >=media-libs/libpng-1.2.37:0
    media-gfx/imagemagick-6.9.0.3 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    media-gfx/inkscape-0.48.5-r1 requires media-libs/libpng:0
    media-libs/freetype-2.5.5 requires >=media-libs/libpng-1.2.51:0/16=[abi_x86_32(-),abi_x86_64(-)], >=media-libs/libpng-1.2.51:=[abi_x86_32(-),abi_x86_64(-)]
    media-libs/gd-2.0.35-r4 requires >=media-libs/libpng-1.6.10:0[abi_x86_64(-)]
    media-libs/gegl-0.2.0-r2 requires media-libs/libpng
    media-libs/imlib2-1.4.6-r2 requires >=media-libs/libpng-1.6.10:0[abi_x86_64(-)]
    media-libs/jbig2dec-0.11-r1 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-libs/libwebp-0.4.0 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    media-libs/netpbm-10.66.00 requires >=media-libs/libpng-1.4:0
    media-libs/openjpeg-2.0.0 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-sound/sox-14.4.1 requires media-libs/libpng
    media-video/ffmpegthumbnailer-2.0.8 requires media-libs/libpng:0=, media-libs/libpng:0/16=
    media-video/guvcview-2.0.1 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    media-video/mplayer-1.2_pre20130729 requires media-libs/libpng
    media-video/vlc-2.1.5-r1 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    net-print/cups-filters-1.0.66 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    sys-libs/slang-2.2.4-r1 requires >=media-libs/libpng-1.6.10:0[abi_x86_64(-)]
    www-client/chromium-42.0.2311.90 requires media-libs/libpng:0/16=
    x11-libs/cairo-1.12.18-r1 requires >=media-libs/libpng-1.6.10:0/16=[abi_x86_64(-)], >=media-libs/libpng-1.6.10:0=[abi_x86_64(-)]
    x11-libs/gdk-pixbuf-2.30.8 requires >=media-libs/libpng-1.4:0=[abi_x86_64(-)], >=media-libs/libpng-1.4:0/16=[abi_x86_64(-)]
    x11-libs/motif-2.3.4-r3 requires >=media-libs/libpng-1.6.10:0/16=[abi_x86_64(-)], >=media-libs/libpng-1.6.10:0=[abi_x86_64(-)]
    x11-libs/wxGTK-2.8.12.1-r1 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    x11-misc/slim-1.3.6-r3 requires media-libs/libpng:0/16=, media-libs/libpng:0=
    xfce-extra/tumbler-0.1.30 requires media-libs/libpng:0=, media-libs/libpng:0/16=

>>> No packages selected for removal by depclean
Packages installed:   1119
Packages in world:    173
Packages in system:   44
Required packages:    1119
Number to remove:     0
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri May 08, 2015 5:44 pm    Post subject: Reply with quote

1.2.52 is probably affected due to age, but 1.6.16 I think is OK, unless my machine is compromised somehow. No GLSAs on libpng-1.6.16 (but yes on other packages that I'm ignoring for now.)

It looks like dropbox is the only package that is using the old version on your box. I don't use dropbox so I've no idea...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
gulbuhar
n00b
n00b


Joined: 12 Apr 2015
Posts: 9

PostPosted: Fri May 08, 2015 9:32 pm    Post subject: Reply with quote

I have rebuilt dropbox without X and everything is now seems fine , but why should gentoo keep known vulnerable packages in official portage tree?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri May 08, 2015 10:21 pm    Post subject: Reply with quote

Vulnerable packages tend to get hard masked (and removed later just like any old versions)
Masked packages will not be installed unless you unmask them, however packages already installed will only be removed if there is another way to satisfy dependencies
Back to top
View user's profile Send private message
gulbuhar
n00b
n00b


Joined: 12 Apr 2015
Posts: 9

PostPosted: Fri May 08, 2015 11:46 pm    Post subject: Reply with quote

libpng-1.2.52 is not a masked because portage says its a stable version but glsa-check says its vulnerable because it is not mentioned as an "unaffected version"
I think libpng-1.2.52 should get removed from the tree, I just manually masked it for now.
===========
P.S. = seems libpng-1.2.52 is not an affected version too, I cant understand, if its mentioned as unaffected why glsa-check says "indicates that the system might be affected"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum