Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 237175 (CVE-2008-3964)

Summary: media-libs/libpng <1.2.32 png_push_read_zTXt() Off-By-One DoS (CVE-2008-3964)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/31781/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 237321    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 12:53:13 UTC 
Secunia wrote:

A vulnerability has been reported in libpng, which can be exploited
by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an off-by-one error within the
"png_push_read_zTXt()" function in pngread.c when processing
malicious PNG images with specially crafted zTXt chunks, which can be
exploited to crash an application using the library.

The vulnerability was reportedly introduced in version 1.2.30beta04
and is reported in version 1.2.31. Other versions may also be
affected.

Note: An off-by-one error in pngtest.c was also fixed.

SOLUTION:
Fixed in version 1.2.32beta01.

PROVIDED AND/OR DISCOVERED BY:
Harald van Dijk

ORIGINAL ADVISORY:
http://sourceforge.net/project/shownotes.php?release_id=624518
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 15:09:48 UTC 
CVE-2008-3964 has been assigned.
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2008-09-10 13:24:23 UTC 
As a side note, before >libpng-1.2.30 goes stable. cairo-1.6.4-r1 needs to go stable otherwise any app that uses PNG images and cairo (which is anything that uses GTK+) will segfault due to an API change in libpng 1.2.30 and higher.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 19:16:23 UTC 
This was introduced in libpng-1.2.30beta04, so it does not affect stable.
The only version we have in the tree affected by this is 1.2.31, and since that is superseded by 1.2.32, this bug can be closed.

Please remove 1.2.31 and do not process it for stabling.