Ubuntu

CVE-2008-1382: libpng zero-length chunks incorrect handling

Reported by Alexander Konovalenko on 2008-04-14
268
Affects Status Importance Assigned to Milestone
libpng (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Jamie Strandboge
Feisty
Undecided
Unassigned
Gutsy
Undecided
Jamie Strandboge
Hardy
Undecided
Jamie Strandboge

Bug Description

From the oCERT advisory:

"Applications using libpng that install unknown chunk handlers, or copy unknown chunks, may be vulnerable to a security issue which may result in incorrect output, information leaks, crashes, or arbitrary code execution.

The issue involves libpng incorrectly handling zero length chunks which results in uninitialized memory affecting the control flow of the application."

Details:
http://www.ocert.org/advisories/ocert-2008-003.html
http://libpng.sourceforge.net/Advisory-1.2.26.txt

From the upstream advisory:

"We believe this is a rare circumstance. It occurs in "pngtest"
that is a part of the libpng distribution, in pngcrush, and in
recent versions of ImageMagick (6.2.5 through 6.4.0-4). We are
not aware of any other vulnerable applications."

Ubuntu might be affected by this issue through ImageMagick version 6.3.7.9 in Hardy, the pngcrush package (in universe) or pngtest.c example in package libpng12-0.

libpng12-0 is part of main in all stable releases.

Jamie Strandboge (jdstrand) wrote :

Intrepid has 1.2.27-1 and is not affected.

Changed in libpng:
status: New → Fix Released
Hew McLachlan (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in libpng:
status: New → Won't Fix
Changed in libpng:
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.15~beta5-3ubuntu0.1

---------------
libpng (1.2.15~beta5-3ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #217128)
    - initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
    - CVE-2008-1382
  * SECURITY UPDATE: denial of service via off-by-one error
    - shorten tIME_string to 29 bytes in pngtest.c
    - CVE-2008-3964
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - update pngwutil.c to properly set new_key to NULL string
    - CVE-2008-5907
  * SECURITY UPDATE: denial of service via a crafted PNG image
    - fix for pngset.c to properly check palette size in png_set_hIST
    - CVE-2007-5268
  * SECURITY UPDATE: denial of service via a crafted PNG image
    - fix for pngpread.c and pngrutil.c to properly do bounds checking on read
      operations. Previous version only had a partial fix.
    - CVE-2007-5269

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 06:39:46 -0600

Changed in libpng:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.15~beta5-2ubuntu0.2

---------------
libpng (1.2.15~beta5-2ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #217128)
    - initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
    - CVE-2008-1382
  * SECURITY UPDATE: denial of service via off-by-one error
    - shorten tIME_string to 29 bytes in pngtest.c
    - CVE-2008-3964
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - update pngwutil.c to properly set new_key to NULL string
    - CVE-2008-5907

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 07:55:49 -0600

Changed in libpng:
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :
Changed in libpng:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers