Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 604082 (CVE-2016-10087)

Summary: <media-libs/libpng-{1.2.57,1.5.28,1.6.27}: NULL pointer dereference
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal Flags: kensington: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/12/29/2
Whiteboard: A3 [glsa cve]
Package list:
=media-libs/libpng-1.2.57 amd64 x86 =media-libs/libpng-1.5.28 amd64 x86 =media-libs/libpng-1.6.27 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-29 21:23:26 UTC
From: https://sourceforge.net/p/png-mng/mailman/message/35575076/

libpng-1.6.27, 1.5.28, and 1.2.57, plus legacy libpng-1.0.67 and 1.4.20, and
1.7.0beta86 are available from ftp://ftp.simplesystems.org/pub/png/src
and from http://libpng.sf.net

These all fix a potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995.  To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.

libpng.3 synopses (Eric S. Raymond).
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Libpng 1.4.20 - December 29, 2016

  Fix typos in libpng.3 synopses (Eric S. Raymond).
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Libpng 1.5.28 - December 29, 2016

  Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim,
    pngminus
  Added "Common linking failures" section to INSTALL.
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
  Merge contrib/pngminim/*/makefile with libpng-1.6.24
  Minor editing of INSTALL, (whitespace, added copyright line)
  Removed the use of a macro containing the pre-processor 'defined'
    operator.  It is unclear whether this is valid; a macro that
    "generates" 'defined' is not permitted, but the use of the word
    "generates" within the C90 standard seems to imply more than simple
    substitution of an expression itself containing a well-formed defined
    operation.
  Previously the pngtrans.c code always resulted in an unsigned arithmetic
    overflow. This is well defined but produces errors from clang with the
    option to detect unsigned overflow. As the expression only gets
    evaluated once per row in this version of libpng it is easier just
    to rewrite it.
  The previous version of png.c produced a signed overflow as a result of
    both the "& 0xffff" on the most significant bits of a negative argument;
    this converted (-1) into 65535 which resulted in a subsequent overflow.
    Since signed overflow is undefined in C90 the code has been modified to
    correctly calculate a signed result.  This requires changing the 'hi'
    result parameter to a signed value.
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Libpng 1.6.27 - December 29, 2016

  Control ADLER32 checking with new PNG_IGNORE_ADLER32 option.
  Removed the use of a macro containing the pre-processor 'defined'
    operator.  It is unclear whether this is valid; a macro that
    "generates" 'defined' is not permitted, but the use of the word
    "generates" within the C90 standard seems to imply more than simple
    substitution of an expression itself containing a well-formed defined
    operation.
  Added ARM support to CMakeLists.txt (Andreas Franek).
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Version 1.7.0beta86 [December 29, 2016]
  Ported CMakeLists.txt from libpng-1.6.27rc01.
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-29 21:35:36 UTC
@ Arches,

please test and mark stable:

 =media-libs/libpng-1.2.57 amd64 x86

 =media-libs/libpng-1.5.28 amd64 x86

 =media-libs/libpng-1.6.27 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2016-12-30 16:48:43 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-01 13:12:21 UTC
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-02 10:05:54 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-03 10:51:12 UTC
ppc64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-05 12:36:43 UTC
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2017-01-08 18:36:57 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-11 10:52:57 UTC
sparc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 11:08:34 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:40:44 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-17 16:24:52 UTC
commit 5d4b89c11bfa3bc098648152c2e08c3d574b08ce
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Jan 17 17:20:40 2017

    media-libs/libpng: Security cleanup (bug #604082).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 08:18:27 UTC
GLSA request filed
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 17:15:30 UTC
This issue was resolved and addressed in
 GLSA 201701-74 at https://security.gentoo.org/glsa/201701-74
by GLSA coordinator Thomas Deutschmann (whissi).