CVE-2010-0205 libpng stalls and consumes large quantities of memory while processing certain PNG files

Bug #533140 reported by Anibal Monsalve Salazar on 2010-03-06
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpng (Debian)
Fix Released
Unknown
libpng (Ubuntu)
Medium
Unassigned

Bug Description

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
https://www.kb.cert.org/vuls/id/576029

libpng stalls on highly compressed ancillary chunks

Libpng stalls and consumes large quantities of memory while processing
certain Portable Network Graphics (PNG) files.

When processing PNG files containing highly compressed ancillary chunks,
the png_decompress_chunk() function in libpng can consume large amounts
of CPU time and memory. This resource consumption may hang applications
that use libpng. More information is available in the PNG Development
Group security advisory and supplementary document, Defending Libpng
Applications Against Decompression Bombs.

This vulnerability could allow an unauthenticated, remote attacker to
cause a denial of service.

http://libpng.sourceforge.net/decompression_bombs.html

Libpng provides functions to limit memory consumption and number of
cached ancillary chunks. Applications that use libpng should use these
functions to set appropriate limits. Please see defense #2 in the
document Defending Libpng Applications Against Decompression Bombs (see
web page above) for more information.

Developers who build versions of libpng can choose to ignore ancillary
chunks by defining specific preprocessor macros. Please see defense #3
in the document Defending Libpng Applications Against Decompression
Bombs (see web page above) for more information.

visibility: private → public
Changed in libpng (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.37-1ubuntu0.1

---------------
libpng (1.2.37-1ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service via decompression bomb (LP: #533140)
    - debian/patches/02-CVE-2010-0205.patch: use new two-pass decompression
      method in pngrutil.c.
    - CVE-2010-0205
 -- Marc Deslauriers <email address hidden> Fri, 12 Mar 2010 10:53:26 -0500

Changed in libpng (Ubuntu):
status: Confirmed → Fix Released
Changed in libpng (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.