[Png-mng-security] [png-mng-implement] libpng-1.0.21, libpng-1.2.13, libpng-1.4.0beta14
Glenn Randers-Pehrson
glennrp at comcast.net
Wed Nov 15 14:07:50 UTC 2006
I've released libpng-1.0.21, libpng-1.2.13, and libpng-1.4.0beta14.
They are available at
ftp://ftp.simplesystems.org/pub/png/src (1.0.21 and 1.2.13)
ftp://ftp.simplesystems.org/pub/png-group/src (1.4.0beta14)
http://libpng.sourceforge.net/
They take care of the CVE-2006-3334 vulnerability that was announced
today. Due to a bug in pngset.c, decoders can crash while decoding
the sPLT chunk. The advisory says the chunk must be malformed but
I believe large valid sPLT chunks may also cause a crash.
Here is a notice that the vulnerability has been publicly announced
(I haven't seen the actual announcement yet):
Date: Wed, 15 Nov 2006 04:14:23 -0800 (PST)
From: Google Alerts <googlealerts-noreply at google.com>
To: glennrp at comcast.net
Subject: Google Alert - libpng
Google News Alert for: libpng
libPNG "png_set_sPLT()" Chunk Handling Remote Denial of Service ...
FrSIRT - Montpellier,France
A vulnerability has been identified in libPNG, which could be exploited by attackers to cause a denial of service. This flaw is ...
libpng sPLT Chunk Handling Denial of Service
Secunia - UK
Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). ...
Here is the ADVISORY which I've uploaded:
Libpng security advisory 15 November 2006
Libpng versions 1.0.6 through 1.2.12 can crash while decoding
the sPLT chunk. This is due to an incorrect calculation of
the buffer size for storing the palette entries.
This bug has been given the identifier CVE-2006-3334.
Libraries that are built with the default configuration are
vulnerable.
Libraries that are built with PNG_NO_READ_sPLT defined are not
vulnerable. Neither are applications that use png_set_keep_unknown_chunks
with PNG_HANDLE_CHUNK_NEVER to ignore the sPLT chunk.
Here is the fix:
In pngset.c, in these statements around line 950
to->entries = (png_sPLT_entryp)png_malloc(png_ptr,
from->nentries * png_sizeof(png_sPLT_t));
/* TODO: use png_malloc_warn */
png_memcpy(to->entries, from->entries,
from->nentries * png_sizeof(png_sPLT_t));
change
png_sizeof(png_sPLT_t)
to
png_sizeof(png_sPLT_entry)
Libpng versions 1.0.21, 1.2.13, and 1.4.0beta14 have been fixed.
There are other changes as well. There is new code that prevents
libpng from *writing* iCCP chunk with an inconsistent length field,
and there are checks for NULL png_ptr being passed in to exported
functions. The latter is rather extensive; there were about 72
instances of unchecked pointers.
Glenn
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
png-mng-implement mailing list
png-mng-implement at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
More information about the png-mng-security-archive
mailing list