Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 494948 (CVE-2013-6954)

Summary: <media-libs/libpng-1.6.8: unhandled zero-length PLTE chunk or NULL palette (CVE-2013-6954)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-12-21 13:37:38 UTC
From ${URL} :

libpng 1.6.8 was released [1] and notes the following fix:

Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which 
by default issues a warning rather than an error, leading to later reading from a NULL pointer 
(png_ptr->palette) in png_do_expand_palette(). This is CVE-2013-6954 and VU#650142.

The git commit to fix is available [3].


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2013-12-21 16:06:10 UTC
1.6.8 is now in Portage with a fix to this, but since this never affected the 1.5.x series which is the current stable, there is no stabilization required at this time

so I believe this should be closed as resolved, fixed now?
Comment 2 Agostino Sarubbo gentoo-dev 2013-12-21 16:12:11 UTC
(In reply to Samuli Suominen from comment #1)
> so I believe this should be closed as resolved, fixed now?

Yes, thanks.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-01-24 14:33:40 UTC
CVE-2013-6954 (
  The png_do_expand_palette function in libpng before 1.6.8 allows remote
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette,
  related to pngrtran.c and pngset.c.