Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 49887 - media-libs/libpng : Denial of Service vulnerability
Summary: media-libs/libpng : Denial of Service vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.mandrakesecure.net/en/advi...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-03 12:53 UTC by Olivier Castan
Modified: 2004-05-14 13:24 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---
koon: Assigned_To? (koon)


Attachments
files/libpng-1.2.5-gentoo.diff (libpng-1.2.5-gentoo.diff,2.09 KB, patch)
2004-05-07 03:11 UTC, Thierry Carrez (RETIRED)
Details | Diff
files/libpng-1.0.15-gentoo.diff (libpng-1.0.15-gentoo.diff,2.36 KB, patch)
2004-05-07 03:13 UTC, Thierry Carrez (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Castan 2004-05-03 12:53:47 UTC
the library provides 2 calls png_chunk_error and png_chunk_warning for default error and warning messages handling. Inside the code a fixed size buffer is used and 64 bytes are used to store the caller supplied message. But there are no bounds checking and this limitation is not documented. Programs linked against libpng may crash or even execute arbitrary code if the caller message is dependent on external inputs. See
Debian :
http://www.debian.org/security/2004/dsa-498
Mandrake :
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:040

Here is Mandrake's patch :

--- libpng-1.2.5/pngerror.c.can-2004-0421       2002-10-03 05:32:27.000000000 -0600
+++ libpng-1.2.5/pngerror.c     2004-04-29 09:26:18.000000000 -0600
@@ -135,10 +135,12 @@
       buffer[iout] = 0;
    else
    {
+      png_size_t len = strnlen(error_message, 63);
+
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer+iout, error_message, 64);
-      buffer[iout+63] = 0;
+      png_memcpy(buffer+iout, error_message, len);
+      buffer[iout+len] = 0;
    }
 }
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-05-04 06:15:23 UTC
Confirmed -- denial of service attack is probably the highest risk here.

no metadata.xml or recent maintainer : we need someone to apply the Mandrake patch to libpng-1.2.5-r4 (slot 1.2) and libpng-1.0.15-r1 (slot 1.0) and rev-bump the ebuilds.

-K
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-05-07 03:11:35 UTC
Created attachment 30917 [details, diff]
files/libpng-1.2.5-gentoo.diff

New diff file for 1.2.5 including the patch
Tested : applies OK, compiles OK, works OK
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-05-07 03:13:57 UTC
Created attachment 30918 [details, diff]
files/libpng-1.0.15-gentoo.diff

New diff file for libpng-1.0.15
Tested : Applies OK, Compiles OK, Works ? (I have no application using libpng1)


ebuilds libpng-1.2.5 and libpng-1.0.15 should be rev-bumped so that the
security fix appears in normal upgrade process
Comment 4 solar (RETIRED) gentoo-dev 2004-05-08 23:36:22 UTC
Koon,

Updated in portage. All arches have libpng-1.2.5-r4.ebuild marked stable already.

KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 ppc64 s390"

Added both patches however.
It's upto you if you want to call for arch testing or not. I don't think you/we 
need to in this case.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-05-09 11:08:37 UTC
Can someone rev-bump to 1.2.5-r5 and 1.0.15-r2 so that the new diff file gets taken into account in the normal upgrade process ?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-05-11 13:03:20 UTC
Ready for a GLSA
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-05-14 13:24:21 UTC
GLSA 200405-06