libpng code injection CVE-2009-0040
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libpng (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| Dapper |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| Gutsy |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| Hardy |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| Intrepid |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| Jaunty |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Bug Description
from http://
Vulnerability Warning
All versions of libpng from 0.89c through 1.2.34 contain an uninitialized-data bug that can be triggered by a malicious user. Specifically, there are several instances in which a malloc'd array of pointers is then initialized by a secondary sequence of malloc() calls. If one of these calls fails, libpng's cleanup routine will attempt to free the entire array, including any uninitialized pointers, which could lead to execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site). This vulnerability has been assigned ID CVE-2009-0040 and is fixed in version 1.2.35, released 18 February 2009.
| Changed in libpng: | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → jdstrand |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
| Jamie Strandboge (jdstrand) wrote | #5 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
This bug was fixed in the package libpng - 1.2.15~
---------------
libpng (1.2.15~
* SECURITY UPDATE: denial of service and possible execution of arbitrary
code via crafted image (LP: #338027)
- initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
- CVE-2009-0040
* SECURITY UPDATE: denial of service and possible execution of arbitrary
code via crafted image (LP: #217128)
- initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
- CVE-2008-1382
* SECURITY UPDATE: denial of service via off-by-one error
- shorten tIME_string to 29 bytes in pngtest.c
- CVE-2008-3964
* SECURITY UPDATE: denial of service via incorrect memory assignment
(LP: #324258)
- update pngwutil.c to properly set new_key to NULL string
- CVE-2008-5907
* SECURITY UPDATE: denial of service via a crafted PNG image
- fix for pngset.c to properly check palette size in png_set_hIST
- CVE-2007-5268
* SECURITY UPDATE: denial of service via a crafted PNG image
- fix for pngpread.c and pngrutil.c to properly do bounds checking on read
operations. Previous version only had a partial fix.
- CVE-2007-5269
-- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 06:39:46 -0600