https://bugzilla.novell.com/show_bug.cgi?id=272641
Summary: VUL-0: libpng: denial-of-service
Product: openSUSE 10.2
Version: Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Other
AssignedTo: nadvornik@novell.com
ReportedBy: thomas@novell.com
QAContact: qa@suse.de
CC: security-team@suse.de, patch-request@suse.de
Hello Vladimir,
a bug in libpng leads to a crash in the application using it. It can be
considered a security bug.
From: Tavis Ormandy
To: vendor-sec@lst.de
Mail-Followup-To: vendor-sec@lst.de
User-Agent: Mutt/1.5.13 (2006-08-11)
Subject: [vendor-sec] [glennrp@comcast.net: security bug in png_handle_tRNS]
Errors-To: vendor-sec-admin@lst.de
Date: Sat, 5 May 2007 12:56:05 +0100
----- Forwarded message from Glenn Randers-Pehrson -----
Date: Sat, 05 May 2007 04:55:59 -0400
Subject: security bug in png_handle_tRNS
Please keep this close-held until libpng-1.2.17 has been released.
A security bug has been reported to mozilla.
It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla. In my experience it also brought down
my Windows display manager.
The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated. Since png_ptr->num_trans is nonzero, libpng tries to use
the array later. Here is the fix, thanks to Mats Palmgren:
At line 1316 of pngrutil.c, change
if (png_crc_finish(png_ptr, 0))
return;
to
if (png_crc_finish(png_ptr, 0))
{
png_ptr->num_trans = 0;
return;
}
Libpng-1.2.17rc1 does not contain this fix.
Glenn
----- End forwarded message -----
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my pgp key.
-------------------------------------------------------
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.