| View Issue Details [ Jump to Notes ] | [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0005470 | VTK | (No Category) | public | 2007-08-09 12:21 | 2016-03-07 17:44 | ||||
| Reporter | Sean McBride | ||||||||
| Assigned To | Dave DeMarle | ||||||||
| Priority | urgent | Severity | crash | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 6.0.0 | ||||||||
| Target Version | 6.3.0 | Fixed in Version | 7.0.0 | ||||||
| Summary | 0005470: VTK/ITK use old versions of libpng (containing security vulnerabilities); should update | ||||||||
| Description | As of 2007-08-09 the latest version of libpng is 1.2.18. See http://www.libpng.org/pub/png/libpng.html [^] VTK and ITK both include 1.0.12 according to comments in png.h. A quick search of the Common Vulnerabilities and Exposures (CVE) database reveals that there have been several serious bugs that may allow arbitrary code execution: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libpng [^] The libpng page, right at the top in red, also discusses serious security bugs. VTK and ITK are therefore likely vulnerable as well! That's one good reason to update. Another is that the newer libpng is likely to better support 64 bit machines, as they have become much more popular in recent years. | ||||||||
| Tags | No tags attached. | ||||||||
| Project | TBD | ||||||||
| Type | incorrect functionality | ||||||||
| Attached Files | |||||||||
| Relationships | |
| Relationships |
| Notes | |
|
(0010317) Sean McBride (developer) 2008-01-28 18:46 |
Because this involves security vulnerabilities, I think it should be fixed for 5.2. |
|
(0010853) Sean McBride (developer) 2008-03-19 09:31 |
Since I filed this bug, there have been more security fixes in libpng. Current version is now 1.2.25. And just yesterday, Apple released a security update fixing libpng problems. So it's not just me that deems this important. Apple's notes: "CVE-ID: CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, CVE-2007-5269 Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2 Impact: Multiple vulnerabilities in X11's libpng 1.2.8 Description: The PNG reference library (libpng) is updated to version 1.2.24 to address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html [^] This issue affects libpng within X11. It does not affect systems prior to Mac OS X v10.5." |
|
(0013529) Sean McBride (developer) 2008-09-19 19:45 |
VTK/ITK use version 1.0.12 and I just noticed that the 1.0 line is also maintained. The newest version is 1.2.31 but 1.0.39 also exists and would probably be easier to upgrade VTK/ITK to that version. |
|
(0031290) Dave DeMarle (administrator) 2013-07-22 20:33 |
Dave P no longer works on the project. If these old issues still exist in 6.0.0, reopen them and assign to Dave DeMarle |
|
(0031318) Sean McBride (developer) 2013-07-23 10:32 |
VTK still at 1.0.12, current is 1.6.3 |
|
(0034170) Dave DeMarle (administrator) 2015-02-05 12:35 |
Will try to make this a priority for 6.3.0. |
|
(0035832) David Gobbi (developer) 2016-03-07 17:44 |
Woohoo, VTK 7.0 fixed this! commit 0abb295c updated zlib, commit 63adbb10 updated libpng |
| Notes |
| Issue History | |||
| Date Modified | Username | Field | Change |
| 2007-08-09 12:21 | Sean McBride | New Issue | |
| 2007-10-17 10:10 | Sean McBride | Description Updated | |
| 2008-01-28 18:46 | Sean McBride | Note Added: 0010317 | |
| 2008-01-28 18:46 | Sean McBride | Status | backlog => tabled |
| 2008-01-28 18:46 | Sean McBride | Assigned To | => David Cole |
| 2008-03-19 09:31 | Sean McBride | Note Added: 0010853 | |
| 2008-09-19 19:45 | Sean McBride | Note Added: 0013529 | |
| 2011-01-19 09:52 | David Cole | Assigned To | David Cole => |
| 2011-02-16 09:07 | David Partyka | Assigned To | => David Partyka |
| 2011-06-16 13:11 | Zack Galbreath | Category | => (No Category) |
| 2013-07-22 20:33 | Dave DeMarle | Status | backlog => expired |
| 2013-07-22 20:33 | Dave DeMarle | Note Added: 0031290 | |
| 2013-07-23 10:32 | Sean McBride | Project | => TBD |
| 2013-07-23 10:32 | Sean McBride | Type | => incorrect functionality |
| 2013-07-23 10:32 | Sean McBride | Note Added: 0031318 | |
| 2013-07-23 10:32 | Sean McBride | Assigned To | David Partyka => Dave DeMarle |
| 2013-07-23 10:32 | Sean McBride | Product Version | => 6.0.0 |
| 2014-10-04 20:23 | Berk Geveci | Status | expired => backlog |
| 2014-10-04 20:23 | Berk Geveci | Resolution | open => reopened |
| 2015-02-05 12:35 | Dave DeMarle | Note Added: 0034170 | |
| 2015-02-05 12:35 | Dave DeMarle | Target Version | => 6.3.0 |
| 2016-03-07 17:44 | David Gobbi | Note Added: 0035832 | |
| 2016-03-07 17:44 | David Gobbi | Status | backlog => closed |
| 2016-03-07 17:44 | David Gobbi | Resolution | reopened => fixed |
| 2016-03-07 17:44 | David Gobbi | Fixed in Version | => 7.0.0 |
| Issue History |
| Copyright © 2000 - 2018 MantisBT Team |