Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 503014 (CVE-2014-0333)

Summary: <media-libs/libpng-1.6.10: denial of service via png_push_read_chunk() (CVE-2014-0333)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1070985
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-02-28 08:23:01 UTC 
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0333 to
the following vulnerability:

Name: CVE-2014-0333
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0333
Assigned: 20131205
Reference: CONFIRM:ftp://ftp.simplesystems.org/pub/png/src/libpng16/patch-libpng16-vu684412.diff
Reference: https://sourceforge.net/projects/libpng/files/libpng16/patch-libpng16-vu684412.diff
Reference: CERT-VN:VU#684412
Reference: http://www.kb.cert.org/vuls/id/684412

The png_push_read_chunk function in pngpread.c in the progressive
decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause
a denial of service (infinite loop and CPU consumption) via an IDAT
chunk with a length of zero.


The upstream commit is here:

http://sourceforge.net/p/libpng/code/ci/713a20c57d344b558e48ad8be157c2dd751c8815/

Note that this only affects libpng 1.6.0 through 1.6.9.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-04-06 10:40:35 UTC 
Test and stabilize for this security bug:

=media-libs/libpng-1.6.10    alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Plus, amd64 and x86 should also stabilize:

=media-libs/libpng-1.5.18    amd64 x86
=media-libs/libpng-1.2.51    amd64 x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-04-06 14:29:24 UTC 
Stable for HPPA.
Comment 3 Markus Meier gentoo-dev 2014-04-07 19:41:07 UTC 
arm stable
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2014-04-11 09:07:27 UTC 
amd64/x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:08 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:37 UTC 
alpha stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 20:12:11 UTC 
CVE-2014-0333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0333):
  The png_push_read_chunk function in pngpread.c in the progressive decoder in
  libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of
  service (infinite loop and CPU consumption) via an IDAT chunk with a length
  of zero.
Comment 8 Agostino Sarubbo gentoo-dev 2014-05-11 08:10:11 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-13 15:17:48 UTC 
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:31 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-05-15 04:41:01 UTC 
Arches and Maintainer(s), Thank you for your work.

Added to new GLSA Request
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-08-14 14:33:05 UTC 
This issue was resolved and addressed in
 GLSA 201408-06 at http://security.gentoo.org/glsa/glsa-201408-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).