MantisBT - VTK
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0005470VTK(No Category)public2007-08-09 12:212016-03-07 17:44
ReporterSean McBride 
Assigned ToDave DeMarle 
PriorityurgentSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version6.0.0 
Target Version6.3.0Fixed in Version7.0.0 
ProjectTBD
Typeincorrect functionality
Summary0005470: VTK/ITK use old versions of libpng (containing security vulnerabilities); should update
DescriptionAs of 2007-08-09 the latest version of libpng is 1.2.18. See http://www.libpng.org/pub/png/libpng.html [^]

VTK and ITK both include 1.0.12 according to comments in png.h.

A quick search of the Common Vulnerabilities and Exposures (CVE) database reveals that there have been several serious bugs that may allow arbitrary code execution:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libpng [^]

The libpng page, right at the top in red, also discusses serious security bugs.

VTK and ITK are therefore likely vulnerable as well!

That's one good reason to update. Another is that the newer libpng is likely to better support 64 bit machines, as they have become much more popular in recent years.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2007-08-09 12:21Sean McBrideNew Issue
2007-10-17 10:10Sean McBrideDescription Updated
2008-01-28 18:46Sean McBrideNote Added: 0010317
2008-01-28 18:46Sean McBrideStatusbacklog => tabled
2008-01-28 18:46Sean McBrideAssigned To => David Cole
2008-03-19 09:31Sean McBrideNote Added: 0010853
2008-09-19 19:45Sean McBrideNote Added: 0013529
2011-01-19 09:52David ColeAssigned ToDavid Cole =>
2011-02-16 09:07David PartykaAssigned To => David Partyka
2011-06-16 13:11Zack GalbreathCategory => (No Category)
2013-07-22 20:33Dave DeMarleStatusbacklog => expired
2013-07-22 20:33Dave DeMarleNote Added: 0031290
2013-07-23 10:32Sean McBrideProject => TBD
2013-07-23 10:32Sean McBrideType => incorrect functionality
2013-07-23 10:32Sean McBrideNote Added: 0031318
2013-07-23 10:32Sean McBrideAssigned ToDavid Partyka => Dave DeMarle
2013-07-23 10:32Sean McBrideProduct Version => 6.0.0
2014-10-04 20:23Berk GeveciStatusexpired => backlog
2014-10-04 20:23Berk GeveciResolutionopen => reopened
2015-02-05 12:35Dave DeMarleNote Added: 0034170
2015-02-05 12:35Dave DeMarleTarget Version => 6.3.0
2016-03-07 17:44David GobbiNote Added: 0035832
2016-03-07 17:44David GobbiStatusbacklog => closed
2016-03-07 17:44David GobbiResolutionreopened => fixed
2016-03-07 17:44David GobbiFixed in Version => 7.0.0

Notes
(0010317)
Sean McBride   
2008-01-28 18:46   
Because this involves security vulnerabilities, I think it should be fixed for 5.2.
(0010853)
Sean McBride   
2008-03-19 09:31   
Since I filed this bug, there have been more security fixes in libpng. Current version is now 1.2.25.

And just yesterday, Apple released a security update fixing libpng problems. So it's not just me that deems this important. Apple's notes:

"CVE-ID: CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, CVE-2007-5269

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in X11's libpng 1.2.8

Description: The PNG reference library (libpng) is updated to version 1.2.24 to address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html [^] This issue affects libpng within X11. It does not affect systems prior to Mac OS X v10.5."
(0013529)
Sean McBride   
2008-09-19 19:45   
VTK/ITK use version 1.0.12 and I just noticed that the 1.0 line is also maintained. The newest version is 1.2.31 but 1.0.39 also exists and would probably be easier to upgrade VTK/ITK to that version.
(0031290)
Dave DeMarle   
2013-07-22 20:33   
Dave P no longer works on the project. If these old issues still exist in 6.0.0, reopen them and assign to Dave DeMarle
(0031318)
Sean McBride   
2013-07-23 10:32   
VTK still at 1.0.12, current is 1.6.3
(0034170)
Dave DeMarle   
2015-02-05 12:35   
Will try to make this a priority for 6.3.0.
(0035832)
David Gobbi   
2016-03-07 17:44   
Woohoo, VTK 7.0 fixed this!

commit 0abb295c updated zlib,
commit 63adbb10 updated libpng