178004 2007-05-11 07:59 0000 media-libs/libpng null pointer dereference in png_handle_tRNS (CVE-2007-2445) 2007-06-24 23:27:38 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A3 [glsa] P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org neeo@xl.wp.pl jaervosz@gentoo.org 2007-05-11 07:59:30 0000 It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. In my experience it also brought down my Windows display manager. The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans[] array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later. Here is the fix, thanks to Mats Palmgren: At line 1316 of pngrutil.c, change if (png_crc_finish(png_ptr, 0)) return; to if (png_crc_finish(png_ptr, 0)) { png_ptr->num_trans = 0; return; } Libpng-1.2.17rc1 does not contain this fix. jaervosz@gentoo.org 2007-05-11 08:01:44 0000 This will go public once libpng-1.2.17 is released. Vapier please attach an updated ebuild if you want pretesting. falco@gentoo.org 2007-05-16 09:49:21 0000 public on http://www.libpng.org/pub/png/libpng.html falco@gentoo.org 2007-05-16 09:49:42 0000 *** Bug 178729 has been marked as a duplicate of this bug. *** armin76@gentoo.org 2007-05-16 09:59:55 0000 According to the webpage: 1.2.17 is broken, 1.2.18 should be used vapier@gentoo.org 2007-05-18 19:49:05 0000 1.2.18 is in portage jaervosz@gentoo.org 2007-05-19 06:53:06 0000 Arhces please test and mark stable. Target keywords are: libpng-1.2.18.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" roeland@rullzer.com 2007-05-19 07:36:25 0000 AMD64: Compiles clean. Passes tests No Collision Exporting png files in the gimp still works. Displaying png files also works. So we're good to go. Portage 2.1.2.7 (default-linux/amd64/2007.0/no-multilib, gcc-4.1.1, glibc-2.5-r2, 2.6.21-gentoo x86_64) ================================================================= System uname: 2.6.21-gentoo x86_64 AMD Turion(tm) 64 Mobile Technology MT-28 Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 19 May 2007 01:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -msse3 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test userpriv" GENTOO_MIRRORS="http://gentoo.nedlinux.nl ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo/" LINGUAS="en nl" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage-overlay" SYNC="rsync://godfather/gentoo-portage" USE="X alsa amd64 apache2 bash-completion bitmap-fonts bzip2 cli cracklib crypt cvs dri dvd dvdr exif flac gdbm gif graphviz gstreamer highlight history iconv imagemagick ipod isdnlog jpeg jpeg2k kde latex libg++ logrotate md5sum midi mmx mp3 mplayer music ncurses nls nomotif nptl nptlonly nsplugin ogg opengl oss pcre pdf perl png pppd python qt readline reflection samba session spl sse sse2 ssl tcpd test tetex tiff truetype truetype-fonts type1-fonts unicode vorbis xine xml xml2 xorg xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl" USERLAND="GNU" VIDEO_CARDS="sis" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS corsair@gentoo.org 2007-05-19 08:58:51 0000 ppc64 stable armin76@gentoo.org 2007-05-19 11:13:46 0000 alpha/ia64/x86 stable jer@gentoo.org 2007-05-19 16:15:49 0000 Stable for HPPA. fauli@gentoo.org 2007-05-19 22:21:24 0000 amd64 stable gustavoz@gentoo.org 2007-05-21 13:02:05 0000 sparc stable. dertobi123@gentoo.org 2007-05-21 19:59:01 0000 ppc stable kumba@gentoo.org 2007-05-27 00:29:44 0000 mips stable. falco@gentoo.org 2007-05-27 13:49:21 0000 please vote first. And i vote yes for a GLSA, because libpng is widely used and we already used to send GLSAs for a libpng DoS. jaervosz@gentoo.org 2007-05-27 14:35:57 0000 Only B3+4 and A4 rated issues get a vote according to policy. falco@gentoo.org 2007-05-27 15:19:11 0000 ok (it's A3) falco@gentoo.org 2007-06-01 07:13:38 0000 200705-24, thanks everybody