Opened 11 years ago

Closed 2 years ago

#43315 closed defect (wontfix)

glib2 @2.40.0 big_chunk_size.png reported as PNG:CVE-2013-1331 [Expl] by Avast.

Reported by: einarjohants@… Owned by: ryandesign (Ryan Carsten Schmidt)
Priority: Normal Milestone:
Component: ports Version: 2.2.1
Keywords: Cc:
Port: glib2

Description

After uploading to virustotal, one can see that the file in question does get some hits as a PNG exploit: https://www.virustotal.com/nb/file/960a21b47f4e9eeb44733808f43a2203ed18ae3e3fc5788effca9dbc3109086e/analysis/1397147254/

found in /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_sorts_devel_glib2/glib2/work/glib-2.40.0/gio/tests/thumbnails during build

Change History (4)

comment:1 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: ryandesign@… removed
Owner: changed from macports-tickets@… to ryandesign@…

This does not sound like a MacPorts-specific issue; if you feel it is a problem, please report it to the developers of glib2.

comment:2 Changed 11 years ago by sean@…

Note that this is not malware, but a purposefully malformed PNG to test verification code in the GIO package of GLib. See this page for some details. I have the same issue with Symantec not liking that file in a clone of the GLib repository.

The problem is that such malformed PNGs had been used to exploit bugs in MS Office (as indicated by the referenced CVE). However, the one included with GLib has no real data in it.

Agree that it should be escalated up to the GLib developers.

comment:3 Changed 2 years ago by mascguy (Christopher Nielsen)

Do we still need to raise this to upstream, or can we close this?

comment:4 Changed 2 years ago by ryandesign (Ryan Carsten Schmidt)

Resolution: wontfix
Status: newclosed

Not our bug. As I said 8 years ago, if you feel it is a problem, please report it to the developers of glib2.

Note: See TracTickets for help on using tickets.