** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **
Libpng-1.2.34 ADVISORY 19 February 2009
A vulnerability has been reported in libpng-1.2.34.
The bug is of the form
malloc an array of N elements
for (i=0; i<N; i++)
If the application runs out of memory during the
loop, some of the element pointers will be uninitialized.
Libpng will then longjmp to a cleanup process that
attempts to free all of the elements in the array,
including the uninitialized ones. This behavior
could be forced by a malevolent input.
There are 5 instances of the bug in libpng-1.2.34.
One is in the "png_read_png()". Only applications
that explicitly call png_read_png() are vulnerable.
Another is in the handler for the pCAL chunk. Any
application that does not disable pCAL chunk handling
via a call to "set_keep_unknown_chunks()" is vulnerable.
Three others are in code that sets up 16-bit gamma
tables. All applications are probably vulnerable
to these, even if they use png_set_strip_16() to
reduce 16-bit input to 8-bits, because of the order
in which libpng does its transformations.
In fact, all versions since libpng-0.89c contain
at least the 16-bit gamma-table bugs, and all
versions since libpng-1.0.6 contain the png_read_png()
bug. The pCAL decoding bug has existed since
The PNG group recommends upgrading to libpng-1.0.43
or libpng-1.2.35. For persons wishing to continue
using older versions, we are providing a patch along
with the new libpng distributions that will work
against versions 1.0.19 through 1.0.42 and 1.2.9
through 1.2.34. Anyone wishing to use still older
libpng versions will have to modify the patch slightly.
This is already out.
vapier, you're fast as hell again. OK for fast-tracked stabling today, or do you want to give it one more test run?
i'm not going to do any extended testing ... might as well let the arch testers give it a spin
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Stable on alpha.
Did anyone check, if optipng (includes libpng 1.2.33) is affected as well?
GLSA together with bug 244808.