[CAN-2004-0597, CAN-2004-0598, CAN-2004-0599] stack-based buffer overflow and other code concerns
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpng (Debian) |
Fix Released
|
Unknown
|
|||
libpng (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #263500 http://
In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Automatically imported from Debian bug report #263500 http://
Debian Bug Importer (debzilla) wrote : | #3 |
Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 21:46:21 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599] stack-based buffer overflow and other code concerns
Package: libpng, libpng3
Version: 1.2.5.0-6
Severity: grave
Tags: security upstream woody sarge sid patch
Justification: Remotely exploitable stack-based buffer overrun
http://
-------
CESA-2004-001 - rev 3
libPNG 1.2.5 stack-based buffer overflow and other code concerns
=======
Programs : libpng users including mozilla, konqueror, various e-mail
Severity : - A malicious website serving a malicious PNG file could
CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
CERT VU#s : VU#388984 (the serious one), VU#236656, VU#160448,
This advisory lists code flaws discovered by inspection of the libpng-1.2.5
code. Only the first one has been examined in practice to confirm
exploitability. The other flaws certainly warrant fixing.
A patch which should plug all these issues is appended beneath the advisory.
NOTE! This patch serves as demo purposes for the flaws only. An official
v1.2.6 libpng with an official, slightly different fix will be released by
the libpng team in parallel with this advisory.
1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS
(pngrutil.c)
If a PNG file is of the correct format, a length check on PNG data is missed
prior to filling a buffer on the stack from the PNG data. The exact flaw would
seem to be a logic error; failure to bail out of a function after a warning
condition is hit, here:
if (!(png_ptr->mode & PNG_HAVE_PLTE))
{
/* Should be an error, but we can cope with it */
}
else if (length > (png_uint_
{
return;
}
We can see, if the first warning condition is hit, the length check is missed
due to the use of an "else if".
A PNG crafted to trip this is available at
http://
It crashes both mozilla and konqueror.
A scarier possibility is targetted exploitation by e-mailing a nasty PNG to
someone who uses a graphical e-mail client to...
In Debian Bug tracker #263500, Matt Zimmerman (mdz) wrote : DSA | #4 |
The advisory is nearly ready to go out, waiting on one last mips build.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 22:51:53 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Subject: Re: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599] stack-based buffer overflow and other code concerns
On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599
Advisories and updated packages are available for
Red Hat: http://
SuSE: http://
Ray
--
FUD for dummies by example in 21 days Lesson 3: use braindead analogies.
"Open source raises various security issues. How many banks will tell you
where their cameras are and where their vaults are?"
A Microsoft droid in http://
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 14:38:36 -0700
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: DSA
The advisory is nearly ready to go out, waiting on one last mips build.
--
- mdz
In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote : | #7 |
tags 263500 - woody
thanks
On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599
Addressed by DSA 536-1.
Ray
--
For those Unix & Linux fanatics who're feeling left out, please forward this
message to everyone you know and delete a bunch of your files at random.
Julian Richardson's response to ILOVEYOU
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Thu, 5 Aug 2004 07:19:04 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Subject: Re: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599] stack-based buffer overflow and other code concerns
tags 263500 - woody
thanks
On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599
Addressed by DSA 536-1.
Ray
--
For those Unix & Linux fanatics who're feeling left out, please forward this
message to everyone you know and delete a bunch of your files at random.
Julian Richardson's response to ILOVEYOU
In Debian Bug tracker #263500, Josselin Mouette (joss) wrote : Bug#263500: fixed in libpng3 1.2.5.0-7 | #9 |
Source: libpng3
Source-Version: 1.2.5.0-7
We believe that the bug you reported is fixed in the latest version of
libpng3, which is due to be installed in the Debian FTP archive:
libpng12-
to pool/main/
libpng12-
to pool/main/
libpng12-
to pool/main/
libpng3-
to pool/main/
libpng3_
to pool/main/
libpng3_
to pool/main/
libpng3_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josselin Mouette <email address hidden> (supplier of updated libpng3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 5 Aug 2004 12:37:32 +0200
Source: libpng3
Binary: libpng3-dev libpng12-dev libpng12-0 libpng12-0-udeb libpng3
Architecture: source all i386
Version: 1.2.5.0-7
Distribution: unstable
Urgency: high
Maintainer: Josselin Mouette <email address hidden>
Changed-By: Josselin Mouette <email address hidden>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
libpng3-dev - PNG library - development, compatibility package
Closes: 263500
Changes:
libpng3 (1.2.5.0-7) unstable; urgency=high
.
* pngrtran.c: applied upstream patch 4 to fix incorrect calculation of
buffer offsets [CAN-2004-0768].
* png.h, pngpread.c, pngrutil.c: patch from Chris Evans
<email address hidden> to fix several vulnerabilities (closes: #263500):
+ libpng fails to properly check length on PNG data [CAN-2004-0597].
+ libpng "png_handle_sBIT" does not perform proper checks to avoid stack
buffer overflow [CAN-2004-0597].
+ libpng "png_handle_iCCP" possible NULL-pointer crash
+ libpng "png_handle_sPLT" possible integer overflow
+ libpng "png_read_png" does not properly handle a PNG with excessive
height (integer overflow) [CAN-2004-0599].
+ libpng progressive reading integer overflow [CAN-2004-0599].
Files:
156ff5587d1ca5
688f6347dbee0d
c6664206b2830d
2cf77494dd1af5
713dfd2e484f2d
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Thu, 05 Aug 2004 07:18:14 -0400
From: Josselin Mouette <email address hidden>
To: <email address hidden>
Subject: Bug#263500: fixed in libpng3 1.2.5.0-7
Source: libpng3
Source-Version: 1.2.5.0-7
We believe that the bug you reported is fixed in the latest version of
libpng3, which is due to be installed in the Debian FTP archive:
libpng12-
to pool/main/
libpng12-
to pool/main/
libpng12-
to pool/main/
libpng3-
to pool/main/
libpng3_
to pool/main/
libpng3_
to pool/main/
libpng3_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josselin Mouette <email address hidden> (supplier of updated libpng3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 5 Aug 2004 12:37:32 +0200
Source: libpng3
Binary: libpng3-dev libpng12-dev libpng12-0 libpng12-0-udeb libpng3
Architecture: source all i386
Version: 1.2.5.0-7
Distribution: unstable
Urgency: high
Maintainer: Josselin Mouette <email address hidden>
Changed-By: Josselin Mouette <email address hidden>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
libpng3-dev - PNG library - development, compatibility package
Closes: 263500
Changes:
libpng3 (1.2.5.0-7) unstable; urgency=high
.
* pngrtran.c: applied upstream patch 4 to fix incorrect calculation of
buffer offsets [CAN-2004-0768].
* png.h, pngpread.c, pngrutil.c: patch from Chris Evans
<email address hidden> to fix several vulnerabilities (closes: #263500):
+ libpng fails to properly check length on PNG data [CAN-2004-0597].
+ libpng "png_handle_sBIT" does not perform proper checks to avoid stack
buffer overflow [CAN-2004-0597].
+ libpng "png_handle_iCCP" possible NULL-pointer crash
+ libpng "png_handle_sPLT" possible integer overflow
+ libpng "png_read_png" does not properly handle a PNG with excessive
height (integer overflow) [CAN-2004-0599].
+ libpng progressive reading integer overflow [CAN-2004-0599].
Files:
156ff5587d1ca5
688f6347dbee0d
In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote : Re: Bug#263500 acknowledged by developer (Bug#263500: fixed in libpng3 1.2.5.0-7) | #11 |
reopen 263500
tags 263500 - sid
thanks
On Thu, Aug 05, 2004 at 04:33:16 -0700, Debian Bug Tracking System wrote:
> We believe that the bug you reported is fixed in the latest version of
> libpng3, which is due to be installed in the Debian FTP archive:
This fix still needs to make it into sarge.
--
Obsig: developing a new sig
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Thu, 5 Aug 2004 15:41:24 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Cc: Josselin Mouette <email address hidden>
Subject: Re: Bug#263500 acknowledged by developer (Bug#263500: fixed in libpng3 1.2.5.0-7)
reopen 263500
tags 263500 - sid
thanks
On Thu, Aug 05, 2004 at 04:33:16 -0700, Debian Bug Tracking System wrote:
> We believe that the bug you reported is fixed in the latest version of
> libpng3, which is due to be installed in the Debian FTP archive:
This fix still needs to make it into sarge.
--
Obsig: developing a new sig
In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote : | #13 |
On Thu, Aug 05, 2004 at 15:41:24 +0200, J.H.M. Dassen (Ray) wrote:
> This fix still needs to make it into sarge.
"libpng3 has the latest version in testing (1.2.5.0-7)"
"libpng has the latest version in testing (1.0.15-6)"
--
Pinky, Are You Pondering What I'm Pondering?
I think so Brain, but if we give peas a chance, won't the lima beans feel
left out?
Pinky and the Brain in "All You Need Is Narf"
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Sat, 14 Aug 2004 19:27:37 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Subject: Re: Bug#263500 acknowledged by developer (Bug#263500: fixed in libpng3 1.2.5.0-7)
On Thu, Aug 05, 2004 at 15:41:24 +0200, J.H.M. Dassen (Ray) wrote:
> This fix still needs to make it into sarge.
"libpng3 has the latest version in testing (1.2.5.0-7)"
"libpng has the latest version in testing (1.0.15-6)"
--
Pinky, Are You Pondering What I'm Pondering?
I think so Brain, but if we give peas a chance, won't the lima beans feel
left out?
Pinky and the Brain in "All You Need Is Narf"
Fabio Massimo Di Nitto (fabbione) wrote : | #15 |
We already have the last version with security fixes
In Debian Bug tracker #263500, Gabriele Stilli (superenzima) wrote : libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599] | #16 |
Package: libpng3
Version: 1.2.5.0-7
Followup-For: Bug #263500
Hi. Are those bugs really solved by the last upgrade?
I've upgraded all the relevant software and libraries to the latest versions
in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:
http://
Whose fault is it? Did I miss something?
Thank you,
Gabriele :-)
ii libpng12-0 1.2.5.0-7 PNG library - runtime
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=it_IT@euro, LC_CTYPE=it_IT@euro (ignored: LC_ALL set to it_IT@euro)
In Debian Bug tracker #263500, Josselin Mouette (joss) wrote : Re: Bug#263500: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599] | #17 |
Le vendredi 20 août 2004 à 13:44 +0200, Gabriele Stilli a écrit :
> Package: libpng3
> Version: 1.2.5.0-7
> Followup-For: Bug #263500
>
> Hi. Are those bugs really solved by the last upgrade?
>
> I've upgraded all the relevant software and libraries to the latest versions
> in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:
>
> http://
>
> Whose fault is it? Did I miss something?
See #263612: mozilla uses its own copy of libpng.
--
.''`. Josselin Mouette /\./\
: :' : <email address hidden>
`. `' <email address hidden>
`- Debian GNU/Linux -- The power of freedom
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Fri, 20 Aug 2004 13:44:03 +0200
From: Gabriele Stilli <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599]
Package: libpng3
Version: 1.2.5.0-7
Followup-For: Bug #263500
Hi. Are those bugs really solved by the last upgrade?
I've upgraded all the relevant software and libraries to the latest versions
in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:
http://
Whose fault is it? Did I miss something?
Thank you,
Gabriele :-)
ii libpng12-0 1.2.5.0-7 PNG library - runtime
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=it_IT@euro, LC_CTYPE=it_IT@euro (ignored: LC_ALL set to it_IT@euro)
Debian Bug Importer (debzilla) wrote : | #19 |
Message-Id: <email address hidden>
Date: Fri, 20 Aug 2004 15:00:16 +0200
From: Josselin Mouette <email address hidden>
To: Gabriele Stilli <email address hidden>, <email address hidden>
Subject: Re: Bug#263500: libpng3: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599]
--=-bjqxKlMdyCf
Content-Type: text/plain; charset=UTF-8
Content-
Le vendredi 20 ao=C3=BBt 2004 =C3=A0 13:44 +0200, Gabriele Stilli a =C3=A9c=
rit :
> Package: libpng3
> Version: 1.2.5.0-7
> Followup-For: Bug #263500
>=20
> Hi. Are those bugs really solved by the last upgrade?
>=20
> I've upgraded all the relevant software and libraries to the latest versi=
ons
> in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:
>=20
> http://
>=20
> Whose fault is it? Did I miss something?
See #263612: mozilla uses its own copy of libpng.
--=20
.''`. Josselin Mouette /\./\
: :' : <email address hidden>
`. `' <email address hidden>
`- Debian GNU/Linux -- The power of freedom
--=-bjqxKlMdyCf
Content-Type: application/
Content-
=?ISO-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQBBJfXfrSl
WTp+qzQpmhtO5lY
=T9Vo
-----END PGP SIGNATURE-----
--=-bjqxKlMdyCf
In Debian Bug tracker #263500, Gabriele Stilli (superenzima) wrote : Re: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599] | #20 |
venerdì 20 agosto 2004, alle 15:00, Josselin Mouette scrive:
> > Whose fault is it? Did I miss something?
>
> See #263612: mozilla uses its own copy of libpng.
Yes, I found it a few hours ago, continuing my investigation for the bug.
Should have thought better before :/
Thank you,
Gabriele :-)
--
http://
ICQ UIN: 159169930 [HT] Lothlorien F.C. (51042, VI.381)
Caccole Stellari Website: http://
Gruppo Utenti Linux Pisa: http://
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <20040820154824
Date: Fri, 20 Aug 2004 17:48:24 +0200
From: Gabriele 'LightKnight' Stilli <email address hidden>
To: <email address hidden>
Subject: Re: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599]
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
venerd=EC 20 agosto 2004, alle 15:00, Josselin Mouette scrive:
> > Whose fault is it? Did I miss something?
>=20
> See #263612: mozilla uses its own copy of libpng.
Yes, I found it a few hours ago, continuing my investigation for the bug.
Should have thought better before :/
Thank you,
Gabriele :-)
--=20
http://
ICQ UIN: 159169930 [HT] Lothlorien F.C. (51042, VI.381)
Caccole Stellari Website: http://
Gruppo Utenti Linux Pisa: http://
--2oS5YaxWCcQjTEyO
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBJh1HQMz
GH8//gFD+
=koTI
-----END PGP SIGNATURE-----
--2oS5YaxWCcQjT
Matt Zimmerman (mdz) wrote : | #22 |
*** Bug 7421 has been marked as a duplicate of this bug. ***
Matt Zimmerman (mdz) wrote : | #23 |
*** Bug 7359 has been marked as a duplicate of this bug. ***
Changed in libpng: | |
status: | Unknown → Fix Released |
On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599
Advisories and updated packages are available for freshmeat. net/articles/ view/1260/ freshmeat. net/articles/ view/1262/
Red Hat: http://
SuSE: http://
Ray www.zdnet. co.uk/news/ 1999/47/ ns-11895. html
--
FUD for dummies by example in 21 days Lesson 3: use braindead analogies.
"Open source raises various security issues. How many banks will tell you
where their cameras are and where their vaults are?"
A Microsoft droid in http://