| Summary: | media-libs/libpng null pointer dereference in png_handle_tRNS (CVE-2007-2445) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | neeo |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
This will go public once libpng-1.2.17 is released. Vapier please attach an updated ebuild if you want pretesting. *** Bug 178729 has been marked as a duplicate of this bug. *** According to the webpage: 1.2.17 is broken, 1.2.18 should be used 1.2.18 is in portage Arhces please test and mark stable. Target keywords are: libpng-1.2.18.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" AMD64: Compiles clean. Passes tests No Collision Exporting png files in the gimp still works. Displaying png files also works. So we're good to go. Portage 2.1.2.7 (default-linux/amd64/2007.0/no-multilib, gcc-4.1.1, glibc-2.5-r2, 2.6.21-gentoo x86_64) ================================================================= System uname: 2.6.21-gentoo x86_64 AMD Turion(tm) 64 Mobile Technology MT-28 Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 19 May 2007 01:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -msse3 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test userpriv" GENTOO_MIRRORS="http://gentoo.nedlinux.nl ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo/" LINGUAS="en nl" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage-overlay" SYNC="rsync://godfather/gentoo-portage" USE="X alsa amd64 apache2 bash-completion bitmap-fonts bzip2 cli cracklib crypt cvs dri dvd dvdr exif flac gdbm gif graphviz gstreamer highlight history iconv imagemagick ipod isdnlog jpeg jpeg2k kde latex libg++ logrotate md5sum midi mmx mp3 mplayer music ncurses nls nomotif nptl nptlonly nsplugin ogg opengl oss pcre pdf perl png pppd python qt readline reflection samba session spl sse sse2 ssl tcpd test tetex tiff truetype truetype-fonts type1-fonts unicode vorbis xine xml xml2 xorg xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl" USERLAND="GNU" VIDEO_CARDS="sis" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ppc64 stable alpha/ia64/x86 stable Stable for HPPA. amd64 stable sparc stable. ppc stable mips stable. please vote first. And i vote yes for a GLSA, because libpng is widely used and we already used to send GLSAs for a libpng DoS. Only B3+4 and A4 rated issues get a vote according to policy. ok (it's A3) 200705-24, thanks everybody |
It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. In my experience it also brought down my Windows display manager. The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans[] array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later. Here is the fix, thanks to Mats Palmgren: At line 1316 of pngrutil.c, change if (png_crc_finish(png_ptr, 0)) return; to if (png_crc_finish(png_ptr, 0)) { png_ptr->num_trans = 0; return; } Libpng-1.2.17rc1 does not contain this fix.