[CVE-2008-5907] libpng: png_check_keyword() in pngwutil.c might allow overwriting arbitrary memory location

Bug #324258 reported by Till Ulen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpng (Ubuntu)
Fix Released
Low
Jamie Strandboge
Dapper
Fix Released
Low
Jamie Strandboge
Gutsy
Fix Released
Low
Jamie Strandboge
Hardy
Fix Released
Low
Jamie Strandboge
Intrepid
Fix Released
Low
Jamie Strandboge
Jaunty
Fix Released
Low
Jamie Strandboge

Bug Description

Binary package hint: libpng12-0

Description from the NVD:

"The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability."

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5907

Changed in libpng:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → jdstrand
status: New → In Progress
importance: Undecided → Low
assignee: nobody → jdstrand
status: New → In Progress
importance: Undecided → Low
assignee: nobody → jdstrand
status: New → In Progress
importance: Undecided → Low
assignee: nobody → jdstrand
status: New → In Progress
importance: Undecided → Low
assignee: nobody → jdstrand
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.15~beta5-3ubuntu0.1

---------------
libpng (1.2.15~beta5-3ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #217128)
    - initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
    - CVE-2008-1382
  * SECURITY UPDATE: denial of service via off-by-one error
    - shorten tIME_string to 29 bytes in pngtest.c
    - CVE-2008-3964
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - update pngwutil.c to properly set new_key to NULL string
    - CVE-2008-5907
  * SECURITY UPDATE: denial of service via a crafted PNG image
    - fix for pngset.c to properly check palette size in png_set_hIST
    - CVE-2007-5268
  * SECURITY UPDATE: denial of service via a crafted PNG image
    - fix for pngpread.c and pngrutil.c to properly do bounds checking on read
      operations. Previous version only had a partial fix.
    - CVE-2007-5269

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 06:39:46 -0600

Changed in libpng:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.15~beta5-2ubuntu0.2

---------------
libpng (1.2.15~beta5-2ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #217128)
    - initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
    - CVE-2008-1382
  * SECURITY UPDATE: denial of service via off-by-one error
    - shorten tIME_string to 29 bytes in pngtest.c
    - CVE-2008-3964
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - update pngwutil.c to properly set new_key to NULL string
    - CVE-2008-5907

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 07:55:49 -0600

Changed in libpng:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.27-1ubuntu0.1

---------------
libpng (1.2.27-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - debian/patches/02-CVE-2009-0040.diff: initialize pointers in pngread.c,
      pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service via off-by-one error
    - debian/patches/02-CVE-2008-3964.diff: shorten tIME_string to 29 bytes in
      pngtest.c
    - CVE-2008-3964
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - debian/patches/02-CVE-2008-5907.diff: update pngwutil.c to properly set
      new_key to NULL string
    - CVE-2008-5907
  * debian/rules: Work around missing definition of ECHO. Backported from
    1.2.27-2ubuntu1

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 07:37:05 -0600

Changed in libpng:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.27-2ubuntu2

---------------
libpng (1.2.27-2ubuntu2) jaunty; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - debian/patches/02-CVE-2009-0040.diff: initialize pointers in pngread.c,
      pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - debian/patches/02-CVE-2008-5907.diff: update pngwutil.c to properly set
      new_key to NULL string
    - CVE-2008-5907

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 14:15:45 -0600

Changed in libpng:
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in libpng:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.