Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 307637 (CVE-2010-0205) - <media-libs/libpng-1.2.43: Ancillary Chunks "Decompression Bomb" Denial of Service (CVE-2010-0205)
Summary: <media-libs/libpng-1.2.43: Ancillary Chunks "Decompression Bomb" Denial of Se...
Status: RESOLVED FIXED
Alias: CVE-2010-0205
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/38774/
Whiteboard: A3 [glsa]
Keywords:
Depends on: libpng-1.4
Blocks:
  Show dependency tree
 
Reported: 2010-03-03 16:27 UTC by Tobias Heinlein (RETIRED)
Modified: 2010-10-06 07:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2010-03-03 16:27:18 UTC
From $URL:

Description
A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the library using large amount of CPU and memory resources when processing certain highly compressed ancillary chunks, which can be exploited to cause a DoS by tricking an application using the library into processing a specially crafted PNG file.

The vulnerability is reported in versions prior to 1.0.53, 1.2.43, and 1.4.1.

Solution
Update to version 1.0.53, 1.2.43, and 1.4.1 and follow the vendor's instructions to increase protection against the so called "decompression bombs":
Further details available in Customer Area

Provided and/or discovered by
Reported by the PNG Development Group after encountering a malformed image in the wild.

Original Advisory
http://libpng.sourceforge.net/ADVISORY-1.4.1.html
http://libpng.sourceforge.net/decompression_bombs.html
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-03 16:28:08 UTC
base-system, please provide an updated ebuild.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-04 10:22:52 UTC
CVE-2010-0205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0205):
  The png_decompress_chunk function in pngrutil.c in libpng 1.0.x
  before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not
  properly handle compressed ancillary-chunk data that has a
  disproportionately large uncompressed representation, which allows
  remote attackers to cause a denial of service (memory and CPU
  consumption, and application hang) via a crafted PNG file, as
  demonstrated by use of the deflate compression method on data
  composed of many occurrences of the same character, related to a
  "decompression bomb" attack.

Comment 3 SpanKY gentoo-dev 2010-03-06 23:43:47 UTC
libpng 1.2.43 now in the tree
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 22:22:33 UTC
Adding tracker bug for >=media-libs/libpng-1.4.0 problems.

Only 308617 is left there, can someone fix that or might it still be OK to go stable with 1.2.43?

Please advice.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2010-05-10 14:04:05 UTC
amd64 and x86 should stabilize this for binary packages for use with libpng-1.4:

media-libs/libpng-1.2.43-r1 -> amd64 x86

everyone should mark this stable, normal libpng ebuild,

media-libs/libpng-1.2.43-r2 -> alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-05-10 15:48:09 UTC
ppc64 done
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2010-05-10 19:41:55 UTC
amd64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-05-10 20:36:49 UTC
Stable for HPPA.
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2010-05-11 18:46:03 UTC
Marked ppc stable.
Comment 10 Robert Clark 2010-05-12 02:15:32 UTC
Should the 1.2.43-r2 ebuild be slotted for "1.2" instead of "0" ?
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-05-12 18:29:51 UTC
alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2010-09-28 18:22:37 UTC
GLSA with #324153
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2010-10-06 07:12:33 UTC
GLSA 201010-01