Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 56307

Summary: media-libs/libpng: buffer overflow due to loop offset values
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: vapier
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:063
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Mandrake patch for CAN-2002-1363 none

Description Thierry Carrez (RETIRED) gentoo-dev 2004-07-07 01:57:00 UTC 
From Mandrake advisory (http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:063) :
A buffer overflow vulnerability was discovered in libpng due to a wrong calculation of some loop offset values. This buffer overflow can lead to Denial of Service or even remote compromise.
This vulnerability was initially patched in January of 2003, but it has since been noted that fixes were required in two additional places that had not been corrected with the earlier patch.

The OpenPKG advisory (http://www.openpkg.org/security/OpenPKG-SA-2004.030-png.html) lists several other affected packages :
<= doxygen-1.3.7-20040507 (app-doc/doxygen)
<= ghostscript-8.14-20040604 (app-text/ghostscript)
<= kde-qt-3.2.3-20040429 (?)
<= pdflib-5.0.3-20040625 (media-libs/pdflib)
<= perl-tk-5.8.4-20040622 (dev-perl/perl-tk)
<= qt-3.3.2-20040615 (x11-libs/qt)
<= rrdtool-1.0.48-20040513 (net-analyzer/rrdtool)
<= tetex-2.0.2-20040429 (app-text/tetex)
<= wx-2.4.2-20040425 (?)

I don't know which of them really include a vulnerable copy of libpng...
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-07-07 03:07:54 UTC 
Created attachment 34898 [details, diff]
Mandrake patch for CAN-2002-1363

Mandrake and OpenPKG talk about "2 additional places" were a fix is required to
solve CAN-2002-1363. Here is the Mandrake patch (OpenPKG uses the same).

Note that the PNG team did not issue a corrected patch, the one at
http://www.libpng.org/pub/png/src/libpng-1.2.5-patch2-pngrtran.CAN-2002-1363.diff
is still incomplete.

We should merge this patch to the Gentoo patch.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-07-07 03:10:44 UTC 
Mike: you did the last cleanups on this, could you apply patch and bump ?
Comment 3 SpanKY gentoo-dev 2004-07-07 07:38:35 UTC 
version bumped to 1.2.5-r7 and made stable for all arches since -r6 was stable
and the patch changes very little
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-07-07 07:47:15 UTC 
We probably don't have any other vulnerable package (since we link dynamically to libpng) so this is ready for a GLSA.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-07 14:05:35 UTC 
GLSA drafted: security please review
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-08 09:31:19 UTC 
GLSA 200407-06