Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 259578 (CVE-2009-0040)

Summary: media-libs/libpng <1.2.35 Memory corruption (CVE-2009-0040)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-19 10:01:32 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Libpng-1.2.34 ADVISORY    19 February 2009

A vulnerability has been reported in libpng-1.2.34.

The bug is of the form

     malloc an array of N elements
     for (i=0; i<N; i++)
       malloc element[i];

If the application runs out of memory during the
loop, some of the element pointers will be uninitialized.
Libpng will then longjmp to a cleanup process that
attempts to free all of the elements in the array,
including the uninitialized ones.  This behavior
could be forced by a malevolent input.

There are 5 instances of the bug in libpng-1.2.34.
One is in the "png_read_png()".  Only applications
that explicitly call png_read_png() are vulnerable.
Another is in the handler for the pCAL chunk.  Any
application that does not disable pCAL chunk handling
via a call to "set_keep_unknown_chunks()" is vulnerable.
Three others are in code that sets up 16-bit gamma
tables.  All applications are probably vulnerable
to these, even if they use png_set_strip_16() to
reduce 16-bit input to 8-bits, because of the order
in which libpng does its transformations.

In fact, all versions since libpng-0.89c contain
at least the 16-bit gamma-table bugs, and all
versions since libpng-1.0.6 contain the png_read_png()
bug.  The pCAL decoding bug has existed since

The PNG group recommends upgrading to libpng-1.0.43
or libpng-1.2.35.  For persons wishing to continue
using older versions, we are providing a patch along
with the new libpng distributions that will work
against versions 1.0.19 through 1.0.42 and 1.2.9
through 1.2.34.  Anyone wishing to use still older
libpng versions will have to modify the patch slightly.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-19 10:06:03 UTC
This is already out.
vapier, you're fast as hell again. OK for fast-tracked stabling today, or do you want to give it one more test run?
Comment 2 SpanKY gentoo-dev 2009-02-19 18:41:15 UTC
i'm not going to do any extended testing ... might as well let the arch testers give it a spin
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-02-19 21:16:33 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-02-20 15:04:37 UTC
Stable for HPPA.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-02-20 17:39:50 UTC
ppc64 done
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2009-02-22 14:34:19 UTC
Stable on alpha.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-02-22 15:21:10 UTC
arm/ia64/s390/sh/sparc/x86 stable
Comment 8 Carsten Lohrke (RETIRED) gentoo-dev 2009-02-22 23:06:47 UTC
Did anyone check, if optipng (includes libpng 1.2.33) is affected as well?
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-25 16:27:09 UTC
ppc stable
Comment 10 Markus Meier gentoo-dev 2009-02-25 20:55:32 UTC
amd64 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-05 20:14:14 UTC
GLSA together with bug 244808.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-15 18:47:00 UTC
GLSA 200903-28