[Png-mng-security] libpng-1.0.43 and libpng-1.2.35 ready to go

glennrp at comcast.net glennrp at comcast.net
Wed Feb 18 21:44:11 UTC 2009


Libpng-1.0.43 and libpng-1.2.35 are ready for release.  You can
preview them at

http://www.simplesystems.org/users/glennrp/sbo/lpng1235
http://www.simplesystems.org/users/glennrp/sbo/lpng1043

I've included a *ADVISORY* file and a patch set that
should work against versions since 1.0.19 and 1.2.9.

Here is the advisory:

Libpng-1.2.34 ADVISORY    19 February 2009

A vulnerability has been reported in libpng-1.2.34.

The bug is of the form

     malloc an array of N elements
     for (i=0; i<N; i++)
       malloc element[i];

If the application runs out of memory during the
loop, some of the element pointers will be uninitialized.
Libpng will then longjmp to a cleanup process that
attempts to free all of the elements in the array,
including the uninitialized ones.  This behavior
could be forced by a malevolent input.

There are 5 instances of the bug in libpng-1.2.34.
One is in the "png_read_png()".  Only applications
that explicitly call png_read_png() are vulnerable.
Another is in the handler for the pCAL chunk.  Any
application that does not disable pCAL chunk handling
via a call to "set_keep_unknown_chunks()" is vulnerable.
Three others are in code that sets up 16-bit gamma
tables.  All applications are probably vulnerable
to these, even if they use png_set_strip_16() to
reduce 16-bit input to 8-bits, because of the order
in which libpng does its transformations.

In fact, all versions since libpng-0.89c contain
at least the 16-bit gamma-table bugs, and all
versions since libpng-1.0.6 contain the png_read_png()
bug.  The pCAL decoding bug has existed since
libpng-0.96.

The PNG group recommends upgrading to libpng-1.0.43
or libpng-1.2.35.  For persons wishing to continue
using older versions, we are providing a patch along
with the new libpng distributions that will work
against versions 1.0.19 through 1.0.42 and 1.2.9
through 1.2.34.  Anyone wishing to use still older
libpng versions will have to modify the patch slightly.



More information about the png-mng-security-archive mailing list