[Png-mng-security] patch for zero-length unknown chunk bug

Glenn Randers-Pehrson glennrp at comcast.net
Wed Apr 9 14:26:10 UTC 2008


At 11:24 PM 4/7/2008 -0400, Tom Lane wrote:
>Glenn Randers-Pehrson <glennrp at comcast.net> writes:
>> At 05:54 PM 4/7/2008 +0000, Tavis Ormandy wrote:
>>> Thanks Glenn, I tested the patch here, it works perfectly. I allocated 
>>> CVE-2007-6070 for this issue, feel free to use it.
>
>> Do you see a need to handle this as a sensitive issue
>
>The above question went unanswered: how serious is this issue?

I believe it is only applications that use
png_set_keep_unknown_chunks() to keep unknown chunks "ALWAYS" or
"IF_SAFE" or that use png_set_read_user_chunk_fn() that are affected.

Those include pngtest and ImageMagick but are otherwise
probably rare.  I have not observed ImageMagick
crashing on the test files, so I'm not sure exactly what
is happening there.

So my answer is "probably not very serious".  That would mean that
on April 12 we can announce the vulnerability but could still go
through the normal 2-week beta+rc release schedule after that.

I would not mind hearing from some of you about results (positive or
negative) with important applications reading the test files at
<http://www.simplesystems.org/users/glennrp/zlunk>.

Glenn



More information about the png-mng-security-archive mailing list