Open shoober420 opened 5 years ago
kisak-valve
commented
5 years ago Hello @shoober420, the Steam runtime provides this library and running Steam with the Steam runtime disabled is unsupported. You or the package maintainer that helped disable the Steam runtime is responsible for managing any dependencies for Steam and games run from Steam.
Leaving open as a low priority request for refreshing this dependency.
Turmfalke2
commented
5 years ago @kisak-valve libpng 1.2.59 is vurnable. Updating the dependency should be high priority not low. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12652
shoober420
commented
5 years ago @Turmfalke2, it was only a matter of time. Sadly, most Valve games depend on the legacy library.
shoober420
commented
5 years ago Even more legacy libpng security vulnerabilities.
https://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html
TTimo
commented
4 years ago Dota does not (no longer?) includes libpng - I do not see the library in the install of the game.
The Steam Runtime however comes with libpng12 1.2.46-3ubuntu4.2 - which is fairly outdated (http://changelogs.ubuntu.com/changelogs/pool/main/libp/libpng/libpng_1.2.54-1ubuntu1.1/changelog)
Related to Dota 2, see https://github.com/ValveSoftware/Dota-2/issues/1705#issuecomment-601297269 - you should not need to pull an old libpng12 to begin with.
Otherwise, if a newer libpng12 is present on the host it will be picked over the runtime version, very few system will actually run with the old library.
Keeping this open in case we decide to upgrade libpng12 in scout runtime.
Please describe your issue in as much detail as possible:
Please update DOTA 2 to use the modern version of libpng (1.6.37), instead of the legacy version (1.2.59) Thank you.
Steps for reproducing this issue: