From glennrp at comcast.net Sat May 5 08:55:59 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Sat, 05 May 2007 04:55:59 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS Message-ID: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> Please keep this close-held until libpng-1.2.17 has been released. A security bug has been reported to mozilla. It seems that a grayscale image with a malformed (bad CRC) tRNS chunk will crash libpng and mozilla. In my experience it also brought down my Windows display manager. The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans[] array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later. Here is the fix, thanks to Mats Palmgren: At line 1316 of pngrutil.c, change if (png_crc_finish(png_ptr, 0)) return; to if (png_crc_finish(png_ptr, 0)) { png_ptr->num_trans = 0; return; } Libpng-1.2.17rc1 does not contain this fix. Glenn From glennrp at comcast.net Sat May 5 12:44:13 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Sat, 05 May 2007 08:44:13 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> Message-ID: <3.0.6.32.20070505084413.01216d38@mail.comcast.net> At 04:55 AM 5/5/2007 -0400, you wrote: >a grayscale image with a malformed (bad CRC) tRNS chunk >will crash libpng and mozilla. I've checked my old versions and found that the bug was introduced in version 0.90. I think the same patch will work against all versions from 0.90 to now. Glenn From glennrp at comcast.net Mon May 7 10:33:35 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 07 May 2007 06:33:35 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> Message-ID: <3.0.6.32.20070507063335.018c7b30@mail.comcast.net> At 04:55 AM 5/5/2007 -0400, you wrote: >Please keep this close-held until libpng-1.2.17 has been released. > >A security bug has been reported to mozilla. pngcrush is not vulnerable because it checks all CRCs before it tries to decode any chunks. pngquant and pngcheck also detect and report the bad CRC without trying to decode the bad tRNS chunk. MSIE-7, which does not use libpng, to my knowledge, displays a bad-image icon. Glenn From glennrp at comcast.net Mon May 7 17:53:52 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 07 May 2007 13:53:52 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070507063335.018c7b30@mail.comcast.net> References: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> Message-ID: <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> I just got a reply from CERT: Thank you for the report, we are tracking this as VU#684664. We will follow up with our established contacts at libpng. Greg or maybe Andreas Dilger is probably the "established contact". Glenn From newt at pobox.com Mon May 7 17:59:57 2007 From: newt at pobox.com (Greg Roelofs) Date: Mon, 7 May 2007 10:59:57 -0700 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> Message-ID: <200705071759.l47Hxv2P025603@bolt.sonic.net> > I just got a reply from CERT: > Thank you for the report, we are tracking this as VU#684664. > We will follow up with our established contacts at libpng. > Greg or maybe Andreas Dilger is probably the "established contact". I wouldn't expect it to be me--I don't think I've ever reported a libpng security issue or claimed to be the maintainer or security contact. But I'll forward anything that comes my way... Greg From adilger at clusterfs.com Mon May 7 20:42:05 2007 From: adilger at clusterfs.com (Andreas Dilger) Date: Mon, 7 May 2007 13:42:05 -0700 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> References: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> Message-ID: <20070507204205.GA8181@schatzie.adilger.int> On May 07, 2007 13:53 -0400, Glenn Randers-Pehrson wrote: > I just got a reply from CERT: > > Thank you for the report, we are tracking this as VU#684664. > We will follow up with our established contacts at libpng. > > Greg or maybe Andreas Dilger is probably the "established contact". I haven't gotten anything from CERT either. Cheers, Andreas -- Andreas Dilger Principal Software Engineer Cluster File Systems, Inc. From glennrp at comcast.net Mon May 7 21:50:04 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 07 May 2007 17:50:04 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <20070507204205.GA8181@schatzie.adilger.int> References: <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> Message-ID: <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> At 01:42 PM 5/7/2007 -0700, Andreas Dilger wrote: >On May 07, 2007 13:53 -0400, Glenn Randers-Pehrson wrote: >> I just got a reply from CERT: >> >> Thank you for the report, we are tracking this as VU#684664. >> We will follow up with our established contacts at libpng. >> >> Greg or maybe Andreas Dilger is probably the "established contact". > >I haven't gotten anything from CERT either. I have (the "established contact" turns out to be glennrp at imagemagick.org), but they insist on using encrypted commo so I could not read it. They called me at home a while ago but I was outside watching the grass grow. I guess the only thing really to discuss is how long to wait before disclosing the problem, and whether to release a fixed libpng and mozilla quietly before disclosure. Glenn From adilger at clusterfs.com Mon May 7 22:42:41 2007 From: adilger at clusterfs.com (Andreas Dilger) Date: Mon, 7 May 2007 15:42:41 -0700 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> References: <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> Message-ID: <20070507224241.GL8181@schatzie.adilger.int> On May 07, 2007 17:50 -0400, Glenn Randers-Pehrson wrote: > At 01:42 PM 5/7/2007 -0700, Andreas Dilger wrote: > >On May 07, 2007 13:53 -0400, Glenn Randers-Pehrson wrote: > >> I just got a reply from CERT: > >> > >> Thank you for the report, we are tracking this as VU#684664. > >> We will follow up with our established contacts at libpng. > >> > >> Greg or maybe Andreas Dilger is probably the "established contact". > > > >I haven't gotten anything from CERT either. > > I have (the "established contact" turns out to be glennrp at imagemagick.org), > but they insist on using encrypted commo so I could not read > it. They called me at home a while ago but I was outside watching the > grass grow. > > I guess the only thing really to discuss is how long to wait before > disclosing the problem, and whether to release a fixed libpng and > mozilla quietly before disclosure. IMHO, it makes sense to try and alert the main vendors (RH, SuSE, Debian) to allow them to fix the problem and issue an update that their users can pull before the bug is made public. I don't know the timeframe for this, but maybe a week or so before disclosure? Cheers, Andreas -- Andreas Dilger Principal Software Engineer Cluster File Systems, Inc. From newt at pobox.com Mon May 7 22:56:34 2007 From: newt at pobox.com (Greg Roelofs) Date: Mon, 7 May 2007 15:56:34 -0700 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <20070507224241.GL8181@schatzie.adilger.int> Message-ID: <200705072256.l47MuYfJ032109@bolt.sonic.net> > IMHO, it makes sense to try and alert the main vendors (RH, SuSE, Debian) > to allow them to fix the problem and issue an update that their users > can pull before the bug is made public. I don't know the timeframe for > this, but maybe a week or so before disclosure? I'd do so immediately, if Glenn hasn't already. I used vendor-sec, CERT and something else for my XV disclosure a couple of years ago, and it worked pretty well. Greg From tgl at sss.pgh.pa.us Tue May 8 06:57:44 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Tue, 08 May 2007 02:57:44 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <20070507224241.GL8181@schatzie.adilger.int> References: <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> <20070507224241.GL8181@schatzie.adilger.int> Message-ID: <23953.1178607464@sss.pgh.pa.us> Andreas Dilger writes: > IMHO, it makes sense to try and alert the main vendors (RH, SuSE, Debian) > to allow them to fix the problem and issue an update that their users > can pull before the bug is made public. I don't know the timeframe for > this, but maybe a week or so before disclosure? FWIW, I-am-Red-Hat in this matter. A week or so would be good for us. If there is not already a Mitre CVE number for this, please file for one ASAP and let me know what it is --- that's the reference number RH's security guys prefer to use. A quick email to cve at mitre.org (usually Steve Christey) with a one-line summary of the issue will get you a number whenever Steve is next awake, and then the protocol is to provide full details --- in particular, links to publicly archived announcements --- right after you've made the bug and the fix public. regards, tom lane From tgl at sss.pgh.pa.us Tue May 8 07:12:18 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Tue, 08 May 2007 03:12:18 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> References: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> Message-ID: <24089.1178608338@sss.pgh.pa.us> Glenn Randers-Pehrson writes: > It seems that a grayscale image with a malformed (bad CRC) tRNS chunk > will crash libpng and mozilla. Something that Red Hat's security folks will be demanding of me pretty soon: can this be exploited to do anything more than just crash your browser? Right offhand it looks like it can only cause a null pointer dereference, but maybe I'm missing something more interesting. regards, tom lane From glennrp at comcast.net Tue May 8 09:28:30 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Tue, 08 May 2007 05:28:30 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <24089.1178608338@sss.pgh.pa.us> References: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070505045559.018b9690@mail.comcast.net> Message-ID: <3.0.6.32.20070508052830.018c8e90@mail.comcast.net> At 03:12 AM 5/8/2007 -0400, Tom Lane wrote: >Glenn Randers-Pehrson writes: >> It seems that a grayscale image with a malformed (bad CRC) tRNS chunk >> will crash libpng and mozilla. > >Something that Red Hat's security folks will be demanding of me pretty >soon: can this be exploited to do anything more than just crash your >browser? Right offhand it looks like it can only cause a null pointer >dereference, but maybe I'm missing something more interesting. I don't think so. "num_trans" is alway "1", so nothing is really under the control of a malefactor other than the bad CRC. I think it may also cause a "free" of an array that was never allocated. As I may have mentioned before, the crash is spectacular. Not only does Seamonkey crash, but my Windows display gets thrown into "safe" mode. I don't get a BSOD though. Glenn From tgl at sss.pgh.pa.us Tue May 8 13:40:08 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Tue, 08 May 2007 09:40:08 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070508052830.018c8e90@mail.comcast.net> References: <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070508052830.018c8e90@mail.comcast.net> Message-ID: <29638.1178631608@sss.pgh.pa.us> Glenn Randers-Pehrson writes: > At 03:12 AM 5/8/2007 -0400, Tom Lane wrote: >> Something that Red Hat's security folks will be demanding of me pretty >> soon: can this be exploited to do anything more than just crash your >> browser? Right offhand it looks like it can only cause a null pointer >> dereference, but maybe I'm missing something more interesting. > I don't think so. Thanks. BTW, I understand CVE-2007-2445 is already allocated for this issue. regards, tom lane From tgl at sss.pgh.pa.us Sat May 12 04:11:11 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Sat, 12 May 2007 00:11:11 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> References: <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> Message-ID: <13303.1178943071@sss.pgh.pa.us> Glenn Randers-Pehrson writes: > I guess the only thing really to discuss is how long to wait before > disclosing the problem, and whether to release a fixed libpng and > mozilla quietly before disclosure. Do we have an agreement on the release date? Red Hat's security guys seem to think that May 15th is the date, but I missed where that was agreed to. Once the erratum-release train starts rolling it's hard to stop, so if anyone doesn't like that date please speak up. (Personally I could do with a different date because I'll be off poll-watching on Tuesday...) regards, tom lane From glennrp at comcast.net Sat May 12 04:47:49 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Sat, 12 May 2007 00:47:49 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <13303.1178943071@sss.pgh.pa.us> References: <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070505045559.018b9690@mail.comcast.net> <3.0.6.32.20070507135352.018c39d0@mail.comcast.net> <3.0.6.32.20070507175004.018c6aa0@mail.comcast.net> Message-ID: <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> At 12:11 AM 5/12/2007 -0400, you wrote: >Glenn Randers-Pehrson writes: >> I guess the only thing really to discuss is how long to wait before >> disclosing the problem, and whether to release a fixed libpng and >> mozilla quietly before disclosure. > >Do we have an agreement on the release date? Red Hat's security guys >seem to think that May 15th is the date, but I missed where that was >agreed to. Once the erratum-release train starts rolling it's hard >to stop, so if anyone doesn't like that date please speak up. > >(Personally I could do with a different date because I'll be off >poll-watching on Tuesday...) The CERT guy said that if he didn't call me Friday May 15 is OK. He didn't call. We had talked about May 15 but that was only approximate. Your guy might have gotten the date from CERT. I don't know what is going on elsewhere in the vulnerability community. I haven't got a response from Firefox about whether they want to squeeze the fix in to their next release or not, or exactly when is that next release. As long as it is just a DoS vulnerability they don't seem to care much. Would May 18 (Friday) be better for you? I've just released some new "rc" libpngs that should really age for a week prior to the public release. Glenn From newt at pobox.com Sat May 12 04:55:20 2007 From: newt at pobox.com (Greg Roelofs) Date: Fri, 11 May 2007 21:55:20 -0700 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> Message-ID: <200705120455.l4C4tK8G020894@bolt.sonic.net> > The CERT guy said that if he didn't call me Friday May 15 is OK. > He didn't call. We had talked about May 15 but that was only > approximate. Your guy might have gotten the date from CERT. I don't > know what is going on elsewhere in the vulnerability community. Your vulnerability, your call. The gating factor is disclosure date; what you choose goes. (There may be requests to delay a bit in some cases, but they're just requests.) > Would May 18 (Friday) be better for you? I've just released some > new "rc" libpngs that should really age for a week prior to the > public release. I'd put it off until the following Monday or Tuesday. Doing it right before the weekend generally gives the bad guys a relative advantage. (You could even delay two weeks, assuming it hasn't been made public elsewhere.) Greg From glennrp at comcast.net Sat May 12 05:13:46 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Sat, 12 May 2007 01:13:46 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <200705120455.l4C4tK8G020894@bolt.sonic.net> References: <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> Message-ID: <3.0.6.32.20070512011346.018a11f8@mail.comcast.net> At 09:55 PM 5/11/2007 -0700, Greg Roelofs wrote: >> The CERT guy said that if he didn't call me Friday May 15 is OK. >> He didn't call. We had talked about May 15 but that was only >> approximate. Your guy might have gotten the date from CERT. I don't >> know what is going on elsewhere in the vulnerability community. > >Your vulnerability, your call. The gating factor is disclosure date; >what you choose goes. (There may be requests to delay a bit in some >cases, but they're just requests.) > >> Would May 18 (Friday) be better for you? I've just released some >> new "rc" libpngs that should really age for a week prior to the >> public release. > >I'd put it off until the following Monday or Tuesday. Doing it right >before the weekend generally gives the bad guys a relative advantage. >(You could even delay two weeks, assuming it hasn't been made public >elsewhere.) Monday, May 21, 12:00 noon EDT is fine with me. You are right about the weekend; I already discovered CERT does not answer mail until Monday afternoon and there evidently aren't any volunteers to cover when they are gone. Glenn From glennrp at comcast.net Sat May 12 05:25:27 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Sat, 12 May 2007 01:25:27 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <200705120455.l4C4tK8G020894@bolt.sonic.net> References: <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> Message-ID: <3.0.6.32.20070512012527.011f4368@mail.comcast.net> I got this from CERT (the date he mentions is May 15th): We have not had any vendors tell us that the date you had proposed was too early. From tgl at sss.pgh.pa.us Sat May 12 20:59:52 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Sat, 12 May 2007 16:59:52 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070512012527.011f4368@mail.comcast.net> References: <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> Message-ID: <26573.1179003592@sss.pgh.pa.us> Glenn Randers-Pehrson writes: > I got this from CERT (the date he mentions is May 15th): > We have not had any vendors tell us that the date you had proposed was > too early. It might be best to stick with the 15th --- if we try to say the 21st now, someone might not get the word and release on the 15th anyway, leaving us with egg on our faces. regards, tom lane From tgl at sss.pgh.pa.us Sat May 12 22:13:00 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Sat, 12 May 2007 18:13:00 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <26573.1179003592@sss.pgh.pa.us> References: <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <26573.1179003592@sss.pgh.pa.us> Message-ID: <27681.1179007980@sss.pgh.pa.us> BTW, could I trouble someone for a small test image that exhibits this bug? regards, tom lane From tgl at sss.pgh.pa.us Sun May 13 01:01:33 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Sat, 12 May 2007 21:01:33 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <27681.1179007980@sss.pgh.pa.us> References: <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <26573.1179003592@sss.pgh.pa.us> <27681.1179007980@sss.pgh.pa.us> Message-ID: <29827.1179018093@sss.pgh.pa.us> I wrote: > BTW, could I trouble someone for a small test image that exhibits this bug? Nevermind, I made my own (attached if you need it). A couple of observations: * The original bug report seems incorrect, as it specifies a grayscale image; AFAICT the failure happens only with palette images. I don't see anyplace that touches png_ptr->trans for grayscale, except for a couple of if (png_ptr->free_me & PNG_FREE_TRNS) png_free(png_ptr, png_ptr->trans); which aren't going to be exercised anyway because the free-bit won't get set. (Hence the risk seems only to be a null-pointer dereference, not an invalid free().) * I could not get the crash to happen with pngtopnm --- I guess that program does not call for any of the transforms that reference transparency ... or else the copy I'm using is not compiled to make null pointer derefs crash? Anyway it crashes Firefox nicely. regards, tom lane -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 958 bytes Desc: bad-trns.png URL: From glennrp at comcast.net Sun May 13 02:45:35 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Sat, 12 May 2007 22:45:35 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <29827.1179018093@sss.pgh.pa.us> References: <27681.1179007980@sss.pgh.pa.us> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <26573.1179003592@sss.pgh.pa.us> <27681.1179007980@sss.pgh.pa.us> Message-ID: <3.0.6.32.20070512224535.0122b998@mail.comcast.net> At 09:01 PM 5/12/2007 -0400, Tom Lane wrote: >I wrote: >> BTW, could I trouble someone for a small test image that exhibits this bug? > >Nevermind, I made my own (attached if you need it). Yours doesn't do anything to any of my applications. I posted the PNG from the original bug report, and yours, at www.simplesystems.org/users/glennrp/mozilla/bug374810 Glenn From tgl at sss.pgh.pa.us Sun May 13 02:57:24 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Sat, 12 May 2007 22:57:24 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070512224535.0122b998@mail.comcast.net> References: <27681.1179007980@sss.pgh.pa.us> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <26573.1179003592@sss.pgh.pa.us> <27681.1179007980@sss.pgh.pa.us> <3.0.6.32.20070512224535.0122b998@mail.comcast.net> Message-ID: <1984.1179025044@sss.pgh.pa.us> Glenn Randers-Pehrson writes: > At 09:01 PM 5/12/2007 -0400, Tom Lane wrote: >> Nevermind, I made my own (attached if you need it). > Yours doesn't do anything to any of my applications. Argh, that's because I posted the wrong version --- that one doesn't actually have a bad CRC :-(. Here's the one I meant to post. regards, tom lane -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 958 bytes Desc: bad-trns.png URL: From glennrp at comcast.net Mon May 14 09:32:29 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 14 May 2007 05:32:29 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <26573.1179003592@sss.pgh.pa.us> References: <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> Message-ID: <3.0.6.32.20070514053229.0122fff8@mail.comcast.net> At 04:59 PM 5/12/2007 -0400, Tom Lane wrote: >It might be best to stick with the 15th OK, tomorrow, 15th, it is. I'll notify CERT. Glenn From glennrp at comcast.net Mon May 14 09:53:18 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 14 May 2007 05:53:18 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070514053229.0122fff8@mail.comcast.net> References: <26573.1179003592@sss.pgh.pa.us> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> Message-ID: <3.0.6.32.20070514055318.018d89b0@mail.comcast.net> Here is a draft advisory. It's pretty much the same as my original announcement except that the fix is presented as a patch. Tom, I think "grayscale" is correct. If you examine the code in png_handle_tRNS, that's the only path to send an correct value of num_trans back to libpng. Your revised PNG file does not seem to cause any crashes for me, other than the expected behavior when you get a png_error(). Glenn Libpng-1.2.16-ADVISORY.txt: Libpng Security Advisory 15 May 2007 A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some libpng applications. This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited otherwise. The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans[] array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later. This bug was first introduced in libpng version 0.90, in 1996. All versions from libpng-0.90 through libpng-1.2.16 are vulnerable. Here is the fix, thanks to Mats Palmgren: --- pngrutil.c_1.2.16 2007-05-11 23:11:55.395466000 -0500 +++ pngrutil.c 2007-05-14 04:37:32.101297000 -0500 @@ -1314,7 +1314,10 @@ } if (png_crc_finish(png_ptr, 0)) + { + png_ptr->num_trans = 0; return; + } png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, &(png_ptr->trans_values)); This patch can be applied to any vulnerable version of libpng. Glenn Randers-Pehrson PNG Development Group From glennrp at comcast.net Mon May 14 11:51:45 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 14 May 2007 07:51:45 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070514055318.018d89b0@mail.comcast.net> References: <3.0.6.32.20070514053229.0122fff8@mail.comcast.net> <26573.1179003592@sss.pgh.pa.us> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> Message-ID: <3.0.6.32.20070514075145.0122b588@mail.comcast.net> At 05:53 AM 5/14/2007 -0400, Glenn Randers-Pehrson wrote: >Here is a draft advisory. I'll add at the bottom of the advisory This vulnerability has been assigned the identifiers CVE-2007-2445 and CERT VU#684664. Glenn From glennrp at comcast.net Mon May 14 14:41:49 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 14 May 2007 10:41:49 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070514053229.0122fff8@mail.comcast.net> References: <26573.1179003592@sss.pgh.pa.us> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> Message-ID: <3.0.6.32.20070514104149.0122f868@mail.comcast.net> At 05:32 AM 5/14/2007 -0400, Glenn Randers-Pehrson wrote: >At 04:59 PM 5/12/2007 -0400, Tom Lane wrote: > >>It might be best to stick with the 15th > >OK, tomorrow, 15th, it is. I'll notify CERT. I had said noon but I have a commitment to be away from the computer then. It'll be more like 4:00 PM EST. Glenn From newt at pobox.com Mon May 14 16:02:11 2007 From: newt at pobox.com (Greg Roelofs) Date: Mon, 14 May 2007 09:02:11 -0700 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070514104149.0122f868@mail.comcast.net> Message-ID: <200705141602.l4EG2BMd028494@bolt.sonic.net> > I had said noon but I have a commitment to be away from the computer > then. It'll be more like 4:00 PM EST. Don't expect any miracles on the libpng.org front. It will be tomorrow night at the very earliest, and quite possibly Wednesday night or Thursday morning before I have a chance to update anything. Greg From glennrp at comcast.net Mon May 14 21:58:29 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 14 May 2007 17:58:29 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070514104149.0122f868@mail.comcast.net> References: <3.0.6.32.20070514053229.0122fff8@mail.comcast.net> <26573.1179003592@sss.pgh.pa.us> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> Message-ID: <3.0.6.32.20070514175829.0122fde0@mail.comcast.net> At 10:41 AM 5/14/2007 -0400, Glenn Randers-Pehrson wrote: >I had said noon but I have a commitment to be away from the computer >then. It'll be more like 4:00 PM EST. Whoops, that's EDT not EST. Glenn From tgl at sss.pgh.pa.us Wed May 16 21:39:57 2007 From: tgl at sss.pgh.pa.us (Tom Lane) Date: Wed, 16 May 2007 17:39:57 -0400 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <3.0.6.32.20070514055318.018d89b0@mail.comcast.net> References: <26573.1179003592@sss.pgh.pa.us> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <3.0.6.32.20070512004749.018a5c98@mail.comcast.net> <3.0.6.32.20070512012527.011f4368@mail.comcast.net> <3.0.6.32.20070514055318.018d89b0@mail.comcast.net> Message-ID: <7893.1179351597@sss.pgh.pa.us> Glenn Randers-Pehrson writes: > Here is a draft advisory. It's pretty much the same as my original > announcement except that the fix is presented as a patch. Tom, I think > "grayscale" is correct. Well, I can crash firefox with a palette image and not with a grayscale one ... regards, tom lane From newt at pobox.com Wed May 16 21:49:53 2007 From: newt at pobox.com (Greg Roelofs) Date: Wed, 16 May 2007 14:49:53 -0700 Subject: [Png-mng-security] security bug in png_handle_tRNS In-Reply-To: <7893.1179351597@sss.pgh.pa.us> Message-ID: <200705162149.l4GLnrbV016410@bolt.sonic.net> > Glenn Randers-Pehrson writes: >> Here is a draft advisory. It's pretty much the same as my original >> announcement except that the fix is presented as a patch. Tom, I think >> "grayscale" is correct. > Well, I can crash firefox with a palette image and not with a grayscale > one ... Huh, I missed that comment. Tom's correct--both test images are definitely palette PNGs, and I believe I verified that both of them crash XV in the expected way: File: libpng-bad-tRNS-chunk-grp-bug374810.png (26695 bytes) chunk IHDR at offset 0x0000c, length 13 200 x 200 image, 4-bit palette, non-interlaced chunk PLTE at offset 0x00025, length 48: 16 palette entries chunk tRNS at offset 0x00061, length 1: 1 transparency entry CRC error in chunk tRNS (computed 40e6d866, expected 40e6d80f) ERRORS DETECTED in libpng-bad-tRNS-chunk-grp-bug374810.png File: libpng-bad-tRNS-chunk-tgl.png (958 bytes) chunk IHDR at offset 0x0000c, length 13 216 x 1 image, 8-bit palette, non-interlaced chunk PLTE at offset 0x00025, length 648: 216 palette entries chunk tRNS at offset 0x002b9, length 1: 1 transparency entry CRC error in chunk tRNS (computed 40e6d866, expected 40e6d865) ERRORS DETECTED in libpng-bad-tRNS-chunk-tgl.png Greg