Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 373967 (CVE-2011-2501) - <media-libs/libpng-{1.2.45,1.4.8}: denial of service vulnerability in png_format_buffer() (CVE-2011-{2501,2690,2691,2692})
Summary: <media-libs/libpng-{1.2.45,1.4.8}: denial of service vulnerability in png_for...
Status: RESOLVED FIXED
Alias: CVE-2011-2501
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://libpng.git.sourceforge.net/git...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks: 374635
  Show dependency tree
 
Reported: 2011-07-03 23:42 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-22 11:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-07-03 23:42:09 UTC
Fix at $URL. From the Secunia advisory at http://secunia.com/advisories/45046/:

A vulnerability has been reported in libpng, which can be exploited
by malicious people to cause a DoS (Denial of Service) in an
application using the library.

The vulnerability is caused due to an off-by-one error in the
"png_format_buffer()" function in pngerror.c when parsing a PNG image
file and can be exploited to cause a crash.
Comment 1 Pacho Ramos gentoo-dev 2011-07-04 10:55:00 UTC
Was this even reported to libxml2 upstream? I couldn't find any bug report in bugzilla.gnome.org or any commit fixing this in their git :-/
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-07-04 16:19:05 UTC
(In reply to comment #1)
> Was this even reported to libxml2 upstream? I couldn't find any bug report in
> bugzilla.gnome.org or any commit fixing this in their git :-/

My mistake, this is libpng not libxml2. Sorry about that. ;)
Comment 3 Sylvia 2011-07-07 22:53:36 UTC
In redhat bugzilla - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2501

assigned CVE-2011-2501

fixed in upstream:

libpng 1.2.45
libpng 1.4.8
libpng 1.5.4

please bump
Comment 4 Samuli Suominen gentoo-dev 2011-07-08 12:25:04 UTC
(In reply to comment #3)
> In redhat bugzilla - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2501
> 
> assigned CVE-2011-2501
> 
> fixed in upstream:
> 
> libpng 1.2.45
> libpng 1.4.8

These are now in Portage.   Make sure to test apng format because libpng-1.4.8 is using libpng-1.4.7's apng patch.

> libpng 1.5.4

Not in Portage yet, but because it's KEYWORDS="", it doesn't block handling this security bug in any way.   Will add it soon as matching apng patch is out.

Thanks, Samuli
Comment 5 Samuli Suominen gentoo-dev 2011-07-08 13:01:45 UTC
Test (like, really test that apng patch with 1.4.8) and stabilize:

=media-libs/libpng-1.4.8 "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=media-libs/libpng-1.2.45 "amd64 hppa ppc ppc64 x86"

No idea why hppa/ppc/ppc64 has stable keywords in SLOT="1.2" but oh well ...
Comment 6 Agostino Sarubbo gentoo-dev 2011-07-08 18:52:08 UTC
on amd64 both version works as expected.
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-07-09 08:04:07 UTC
libpng-1.4.8 is now ppc/ppc64 stable, keywords dropped from :1.2
Comment 8 Myckel Habets archtester 2011-07-09 15:03:16 UTC
How do I test specifically against libpng-1.2 on x86?

All the software on my system already uses libpng-1.4 (all packages have requirement for libpng-1.2 or higher).
Comment 9 Samuli Suominen gentoo-dev 2011-07-09 15:17:14 UTC
(In reply to comment #8)
> How do I test specifically against libpng-1.2 on x86?

Pick a binary-only application like nxclient, dialogblocks or eagle...

egrep -e "libpng.*1.2" $(portageq portdir)/*/*/*.ebuild | grep -v ">"

...for more ideas.
Comment 10 Myckel Habets archtester 2011-07-10 07:08:27 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > How do I test specifically against libpng-1.2 on x86?
> 
> Pick a binary-only application like nxclient, dialogblocks or eagle...
> 
> egrep -e "libpng.*1.2" $(portageq portdir)/*/*/*.ebuild | grep -v ">"
> 
> ...for more ideas.

Thank you for that.

Both versions ok for x86.
Comment 11 Jeroen Roovers gentoo-dev 2011-07-11 01:57:23 UTC
(In reply to comment #5)
> =media-libs/libpng-1.2.45 "amd64 hppa ppc ppc64 x86"
> 
> No idea why hppa/ppc/ppc64 has stable keywords in SLOT="1.2" but oh well ...

  04 Jul 2010; Samuli Suominen <ssuominen@gentoo.org> libpng-1.2.44.ebuild,
  libpng-1.4.3.ebuild:
  ppc64 stable wrt #324153

You probably had good reasons at the time.
Comment 12 Ian Delaney (RETIRED) gentoo-dev 2011-07-11 08:33:04 UTC
amd64 all ok
Comment 13 Tony Vroon gentoo-dev 2011-07-11 08:39:44 UTC
+  11 Jul 2011; Tony Vroon <chainsaw@gentoo.org> libpng-1.2.45.ebuild,
+  libpng-1.4.8.ebuild:
+  Marked stable on AMD64 based on arch testing by Ian Delaney, for security bug
+  #373697 by Tim Sammut.
Comment 14 Thomas Kahle (RETIRED) gentoo-dev 2011-07-12 12:38:57 UTC
x86 stable. Many thanks Myckel.
Comment 15 Jeroen Roovers gentoo-dev 2011-07-12 20:20:26 UTC
Stable for HPPA.
Comment 16 Markus Meier gentoo-dev 2011-07-13 19:57:53 UTC
arm stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2011-07-16 15:56:05 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 21:13:40 UTC
Thanks, everyone. GLSA request filed.
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-08-30 05:28:43 UTC
From http://libpng.org/pub/png/libpng.html, it looks like these issues are fixed in 1.2.45 and 1.4.8 too.

All released versions of libpng (from 1.0 onward) have a buffer overrun in the code that promotes palette images with transparency (1 channel) to grayscale+alpha images (2 channels), but only for applications that call png_rgb_to_gray() and not png_set_expand(). (None are known.) An arbitrary amount of memory may be overwritten in this case, with arbitrary (attacker-controlled) data. This vulnerability has been assigned ID CVE-2011-2690.

libpng 1.2.20 and later crashes in png_default_error() due to internal use of a NULL pointer instead of the empty string (""). This vulnerability has been assigned ID CVE-2011-2691.

Many (most?) versions of libpng read uninitialized memory when handling empty sCAL chunks, and they handle malformed sCAL chunks (those lacking a delimiting NULL between the internal strings) incorrectly. This vulnerability has been assigned ID CVE-2011-2692.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2011-09-02 17:09:09 UTC
CVE-2011-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2692):
  The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55,
  1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not
  properly handle invalid sCAL chunks, which allows remote attackers to cause
  a denial of service (memory corruption and application crash) or possibly
  have unspecified other impact via a crafted PNG image that triggers the
  reading of uninitialized memory.

CVE-2011-2691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2691):
  The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x
  before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function
  call using a NULL pointer argument instead of an empty-string argument,
  which allows remote attackers to cause a denial of service (application
  crash) via a crafted PNG image.

CVE-2011-2690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2690):
  Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x
  before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls
  the png_rgb_to_gray function but not the png_set_expand function, allows
  remote attackers to overwrite memory with an arbitrary amount of data, and
  possibly have unspecified other impact, via a crafted PNG image.

CVE-2011-2501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2501):
  The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55,
  1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows
  remote attackers to cause a denial of service (application crash) via a
  crafted PNG image that triggers an out-of-bounds read during the copying of
  error-message data.  NOTE: this vulnerability exists because of a
  CVE-2004-0421 regression.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-06-22 11:07:01 UTC
This issue was resolved and addressed in
 GLSA 201206-15 at http://security.gentoo.org/glsa/glsa-201206-15.xml
by GLSA coordinator Sean Amoss (ackle).