Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 49887

Summary: media-libs/libpng : Denial of Service vulnerability
Product: Gentoo Security Reporter: Olivier Castan <castan.o>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Severity: normal Flags: koon: Assigned_To? (koon)
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Package list:
Runtime testing required: ---
Attachments: files/libpng-1.2.5-gentoo.diff

Description Olivier Castan 2004-05-03 12:53:47 UTC
the library provides 2 calls png_chunk_error and png_chunk_warning for default error and warning messages handling. Inside the code a fixed size buffer is used and 64 bytes are used to store the caller supplied message. But there are no bounds checking and this limitation is not documented. Programs linked against libpng may crash or even execute arbitrary code if the caller message is dependent on external inputs. See
Debian :
Mandrake :

Here is Mandrake's patch :

--- libpng-1.2.5/pngerror.c.can-2004-0421       2002-10-03 05:32:27.000000000 -0600
+++ libpng-1.2.5/pngerror.c     2004-04-29 09:26:18.000000000 -0600
@@ -135,10 +135,12 @@
       buffer[iout] = 0;
+      png_size_t len = strnlen(error_message, 63);
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer+iout, error_message, 64);
-      buffer[iout+63] = 0;
+      png_memcpy(buffer+iout, error_message, len);
+      buffer[iout+len] = 0;
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-05-04 06:15:23 UTC
Confirmed -- denial of service attack is probably the highest risk here.

no metadata.xml or recent maintainer : we need someone to apply the Mandrake patch to libpng-1.2.5-r4 (slot 1.2) and libpng-1.0.15-r1 (slot 1.0) and rev-bump the ebuilds.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-05-07 03:11:35 UTC
Created attachment 30917 [details, diff]

New diff file for 1.2.5 including the patch
Tested : applies OK, compiles OK, works OK
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-05-07 03:13:57 UTC
Created attachment 30918 [details, diff]

New diff file for libpng-1.0.15
Tested : Applies OK, Compiles OK, Works ? (I have no application using libpng1)

ebuilds libpng-1.2.5 and libpng-1.0.15 should be rev-bumped so that the
security fix appears in normal upgrade process
Comment 4 solar (RETIRED) gentoo-dev 2004-05-08 23:36:22 UTC

Updated in portage. All arches have libpng-1.2.5-r4.ebuild marked stable already.

KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 ppc64 s390"

Added both patches however.
It's upto you if you want to call for arch testing or not. I don't think you/we 
need to in this case.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-05-09 11:08:37 UTC
Can someone rev-bump to 1.2.5-r5 and 1.0.15-r2 so that the new diff file gets taken into account in the normal upgrade process ?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-05-11 13:03:20 UTC
Ready for a GLSA
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-05-14 13:24:21 UTC
GLSA 200405-06