Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 49887
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Olivier Castan <castan.o@free.fr>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
koon: ()

Filename Description Type Creator Created Size Actions
libpng-1.2.5-gentoo.diff files/libpng-1.2.5-gentoo.diff patch Thierry Carrez (RETIRED) 2004-05-07 03:11 0000 2.09 KB Details | Diff
libpng-1.0.15-gentoo.diff files/libpng-1.0.15-gentoo.diff patch Thierry Carrez (RETIRED) 2004-05-07 03:13 0000 2.36 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 49887 depends on: Show dependency tree
Bug 49887 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-05-03 12:53 0000 
the library provides 2 calls png_chunk_error and png_chunk_warning for default
error and warning messages handling. Inside the code a fixed size buffer is
used and 64 bytes are used to store the caller supplied message. But there are
no bounds checking and this limitation is not documented. Programs linked
against libpng may crash or even execute arbitrary code if the caller message
is dependent on external inputs. See
Debian :
http://www.debian.org/security/2004/dsa-498
Mandrake :
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:040

Here is Mandrake's patch :

--- libpng-1.2.5/pngerror.c.can-2004-0421       2002-10-03 05:32:27.000000000
-0600
+++ libpng-1.2.5/pngerror.c     2004-04-29 09:26:18.000000000 -0600
@@ -135,10 +135,12 @@
       buffer[iout] = 0;
    else
    {
+      png_size_t len = strnlen(error_message, 63);
+
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer+iout, error_message, 64);
-      buffer[iout+63] = 0;
+      png_memcpy(buffer+iout, error_message, len);
+      buffer[iout+len] = 0;
    }
 }

------- Comment #1 From Thierry Carrez (RETIRED) 2004-05-04 06:15:23 0000 ------- 
Confirmed -- denial of service attack is probably the highest risk here.

no metadata.xml or recent maintainer : we need someone to apply the Mandrake patch to libpng-1.2.5-r4 (slot 1.2) and libpng-1.0.15-r1 (slot 1.0) and rev-bump the ebuilds.

-K

------- Comment #2 From Thierry Carrez (RETIRED) 2004-05-07 03:11:35 0000 ------- 
Created an attachment (id=30917) [details]
files/libpng-1.2.5-gentoo.diff

New diff file for 1.2.5 including the patch
Tested : applies OK, compiles OK, works OK

------- Comment #3 From Thierry Carrez (RETIRED) 2004-05-07 03:13:57 0000 ------- 
Created an attachment (id=30918) [details]
files/libpng-1.0.15-gentoo.diff

New diff file for libpng-1.0.15
Tested : Applies OK, Compiles OK, Works ? (I have no application using libpng1)


ebuilds libpng-1.2.5 and libpng-1.0.15 should be rev-bumped so that the
security fix appears in normal upgrade process

------- Comment #4 From solar 2004-05-08 23:36:22 0000 ------- 
Koon,

Updated in portage. All arches have libpng-1.2.5-r4.ebuild marked stable already.

KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 ppc64 s390"

Added both patches however.
It's upto you if you want to call for arch testing or not. I don't think you/we 
need to in this case.

------- Comment #5 From Thierry Carrez (RETIRED) 2004-05-09 11:08:37 0000 ------- 
Can someone rev-bump to 1.2.5-r5 and 1.0.15-r2 so that the new diff file gets
taken into account in the normal upgrade process ?

------- Comment #6 From Thierry Carrez (RETIRED) 2004-05-11 13:03:20 0000 ------- 
Ready for a GLSA

------- Comment #7 From Thierry Carrez (RETIRED) 2004-05-14 13:24:21 0000 ------- 
GLSA 200405-06
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug