Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 866233 (CVE-2020-35511)

Summary: <media-gfx/pngcheck-3.0.3: global buffer overflow
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.libpng.org/pub/png/apps/pngcheck.html
Whiteboard: B3 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 896306    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 00:01:21 UTC 
CVE-2020-35511:

A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.

Of course, I have no idea if we're affected or what this even is. I've
asked RedHat for clarification.
Comment 1 Teika kazura 2022-12-16 00:42:24 UTC 
This report is obsolete now; we only have 3.0.2 in the portage tree.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-16 07:14:48 UTC 
In 3.0.3...
 
  *               UNTESTED, however!
  * 20210131 GRR: released version 3.0.2
  *               ----------------------
+ * 20210416 BB:  fixed a divide-by-zero crash bug (and probable vulnerability)
+ *               in interlaced images with extra compressed data beyond the
+ *               nominal end of the image data (found by "chiba of topsec alpha
+ *               lab")
+ * 20210425 GRR: released version 3.0.3
+ *               ----------------------
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-16 07:15:31 UTC 
(In reply to Teika kazura from comment #1)
> This report is obsolete now; we only have 3.0.2 in the portage tree.

The report, due to it being extremely vague, wasn't clear about what - if any - versions were fixed.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-16 07:16:18 UTC 
(In reply to Sam James from comment #2)
> In 3.0.3...
>  
>   *               UNTESTED, however!
>   * 20210131 GRR: released version 3.0.2
>   *               ----------------------
> + * 20210416 BB:  fixed a divide-by-zero crash bug (and probable
> vulnerability)
> + *               in interlaced images with extra compressed data beyond the
> + *               nominal end of the image data (found by "chiba of topsec
> alpha
> + *               lab")
> + * 20210425 GRR: released version 3.0.3
> + *               ----------------------

Site has a banner for it:
"""
pngcheck versions 3.0.2 and earlier have a divide-by-zero bug when zlib-decoding interlaced PNGs with extra data beyond what is required for the declared image dimensions. This bug is fixed in version 3.0.3, released on 25 April 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk. 
"""

I'm going to assume that it was either this or an earlier vuln.
Comment 5 Larry the Git Cow gentoo-dev 2022-12-16 07:18:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34564839cadebb24c14385ce59055d7c5ead97c2

commit 34564839cadebb24c14385ce59055d7c5ead97c2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-16 07:16:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-16 07:16:40 +0000

    media-gfx/pngcheck: add 3.0.3
    
    Bug: https://bugs.gentoo.org/866233
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/pngcheck/Manifest              |  1 +
 media-gfx/pngcheck/pngcheck-3.0.3.ebuild | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)