Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 178004

Summary: media-libs/libpng null pointer dereference in png_handle_tRNS (CVE-2007-2445)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: neeo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-11 07:59:30 UTC
It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla.  In my experience it also brought down
my Windows display manager.

The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated.  Since png_ptr->num_trans is nonzero, libpng tries to use
the array later.  Here is the fix, thanks to Mats Palmgren:

At line 1316 of pngrutil.c, change

   if (png_crc_finish(png_ptr, 0))


   if (png_crc_finish(png_ptr, 0))
      png_ptr->num_trans = 0;

Libpng-1.2.17rc1 does not contain this fix.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-11 08:01:44 UTC
This will go public once libpng-1.2.17 is released.

Vapier please attach an updated ebuild if you want pretesting.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-16 09:49:21 UTC
public on
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-16 09:49:42 UTC
*** Bug 178729 has been marked as a duplicate of this bug. ***
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-05-16 09:59:55 UTC
According to the webpage:  1.2.17 is broken, 1.2.18 should be used
Comment 5 SpanKY gentoo-dev 2007-05-18 19:49:05 UTC
1.2.18 is in portage
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 06:53:06 UTC
Arhces please test and mark stable. Target keywords are:

libpng-1.2.18.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 7 Roeland Douma 2007-05-19 07:36:25 UTC

Compiles clean.
Passes tests
No Collision

Exporting png files in the gimp still works. Displaying png files also works. So we're good to go.

Portage (default-linux/amd64/2007.0/no-multilib, gcc-4.1.1, glibc-2.5-r2, 2.6.21-gentoo x86_64)
System uname: 2.6.21-gentoo x86_64 AMD Turion(tm) 64 Mobile Technology MT-28
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 19 May 2007 01:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
CFLAGS="-march=athlon64 -msse3 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe"
FEATURES="collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test userpriv"
LINGUAS="en nl"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X alsa amd64 apache2 bash-completion bitmap-fonts bzip2 cli cracklib crypt cvs dri dvd dvdr exif flac gdbm gif graphviz gstreamer highlight history iconv imagemagick ipod isdnlog jpeg jpeg2k kde latex libg++ logrotate md5sum midi mmx mp3 mplayer music ncurses nls nomotif nptl nptlonly nsplugin ogg opengl oss pcre pdf perl png pppd python qt readline reflection samba session spl sse sse2 ssl tcpd test tetex tiff truetype truetype-fonts type1-fonts unicode vorbis xine xml xml2 xorg xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl" USERLAND="GNU" VIDEO_CARDS="sis"
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-05-19 08:58:51 UTC
ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-05-19 11:13:46 UTC
alpha/ia64/x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-19 16:15:49 UTC
Stable for HPPA.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2007-05-19 22:21:24 UTC
amd64 stable
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-21 13:02:05 UTC
sparc stable.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-21 19:59:01 UTC
ppc stable
Comment 14 Joshua Kinard gentoo-dev 2007-05-27 00:29:44 UTC
mips stable.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-27 13:49:21 UTC
please vote first.

And i vote yes for a GLSA, because libpng is widely used and we already used to send GLSAs for a libpng DoS.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-27 14:35:57 UTC
Only B3+4 and A4 rated issues get a vote according to policy.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-27 15:19:11 UTC
ok (it's A3)
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-01 07:13:38 UTC
200705-24, thanks everybody