[MacPorts] #43315: glib2 @2.40.0 big_chunk_size.png reported as PNG:CVE-2013-1331 [Expl] by Avast.

Fri May 9 22:05:40 PDT 2014

#43315: glib2 @2.40.0 big_chunk_size.png reported as PNG:CVE-2013-1331 [Expl] by
Avast.
-----------------------------+--------------------------
  Reporter:  einarjohants@…  |      Owner:  ryandesign@…
      Type:  defect          |     Status:  new
  Priority:  Normal          |  Milestone:
 Component:  ports           |    Version:  2.2.1
Resolution:                  |   Keywords:
      Port:  glib2           |
-----------------------------+--------------------------

Comment (by sean@…):

 Note that this is not malware, but a purposefully malformed PNG to test
 verification code in the GIO package of GLib. See
 [https://mail.gnome.org/archives/commits-list/2013-October/msg08162.html
 this page] for some details. I have the same issue with Symantec not
 liking that file in a clone of the GLib repository.

 The problem is that such malformed PNGs had been used to exploit bugs in
 MS Office (as indicated by the [http://www.cve.mitre.org/cgi-
 bin/cvename.cgi?name=CVE-2013-1331 referenced CVE]). However, the one
 included with GLib has no real data in it.

 Agree that it should be escalated up to the GLib developers.

-- 
Ticket URL: <https://trac.macports.org/ticket/43315#comment:2>
MacPorts <http://www.macports.org/>
Ports system for OS X