Bug 178004 - media-libs/libpng null pointer dereference in png_handle_tRNS (CVE-2007-2445)
|
Bug#:
178004
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: media-libs/libpng null pointer dereference in png_handle_tRNS (CVE-2007-2445)
|
|
Keywords:
|
|
Status Whiteboard: A3 [glsa]
|
|
Opened: 2007-05-11 07:59 0000
|
It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla. In my experience it also brought down
my Windows display manager.
The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated. Since png_ptr->num_trans is nonzero, libpng tries to use
the array later. Here is the fix, thanks to Mats Palmgren:
At line 1316 of pngrutil.c, change
if (png_crc_finish(png_ptr, 0))
return;
to
if (png_crc_finish(png_ptr, 0))
{
png_ptr->num_trans = 0;
return;
}
Libpng-1.2.17rc1 does not contain this fix.
This will go public once libpng-1.2.17 is released.
Vapier please attach an updated ebuild if you want pretesting.
*** Bug 178729 has been marked as a duplicate of this bug. ***
According to the webpage: 1.2.17 is broken, 1.2.18 should be used
Arhces please test and mark stable. Target keywords are:
libpng-1.2.18.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64
s390 sh sparc x86 ~x86-fbsd"
AMD64:
Compiles clean.
Passes tests
No Collision
Exporting png files in the gimp still works. Displaying png files also works.
So we're good to go.
Portage 2.1.2.7 (default-linux/amd64/2007.0/no-multilib, gcc-4.1.1,
glibc-2.5-r2, 2.6.21-gentoo x86_64)
=================================================================
System uname: 2.6.21-gentoo x86_64 AMD Turion(tm) 64 Mobile Technology MT-28
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 19 May 2007 01:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distcc distlocks metadata-transfer multilib-strict
sandbox sfperms strict test userpriv"
GENTOO_MIRRORS="http://gentoo.nedlinux.nl
ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo/"
LINGUAS="en nl"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage-overlay"
SYNC="rsync://godfather/gentoo-portage"
USE="X alsa amd64 apache2 bash-completion bitmap-fonts bzip2 cli cracklib crypt
cvs dri dvd dvdr exif flac gdbm gif graphviz gstreamer highlight history iconv
imagemagick ipod isdnlog jpeg jpeg2k kde latex libg++ logrotate md5sum midi mmx
mp3 mplayer music ncurses nls nomotif nptl nptlonly nsplugin ogg opengl oss
pcre pdf perl png pppd python qt readline reflection samba session spl sse sse2
ssl tcpd test tetex tiff truetype truetype-fonts type1-fonts unicode vorbis
xine xml xml2 xorg xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm
alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa
lfloat linear meter mulaw multi null plug rate route share shm softvol"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en nl" USERLAND="GNU" VIDEO_CARDS="sis"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
please vote first.
And i vote yes for a GLSA, because libpng is widely used and we already used to
send GLSAs for a libpng DoS.
Only B3+4 and A4 rated issues get a vote according to policy.
200705-24, thanks everybody
