Bug #7306 “[CAN-2004-0597, CAN-2004-0598, CAN-2004-0599] stack-b...” : Bugs : libpng package : Ubuntu

Revision history for this message

In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote on 2004-08-04:

#1

On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599

Advisories and updated packages are available for
Red Hat: http://freshmeat.net/articles/view/1260/
SuSE: http://freshmeat.net/articles/view/1262/

Ray
--
FUD for dummies by example in 21 days Lesson 3: use braindead analogies.
"Open source raises various security issues. How many banks will tell you
where their cameras are and where their vaults are?"
A Microsoft droid in http://www.zdnet.co.uk/news/1999/47/ns-11895.html

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-04:

#2

Automatically imported from Debian bug report #263500 http://bugs.debian.org/263500

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-04:

#3

Download full text (9.7 KiB)

Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 21:46:21 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599] stack-based buffer overflow and other code concerns

Package: libpng, libpng3
Version: 1.2.5.0-6
Severity: grave
Tags: security upstream woody sarge sid patch
Justification: Remotely exploitable stack-based buffer overrun

http://scary.beasts.org/security/CESA-2004-001.txt :
------------------------------------------------------------------------------
CESA-2004-001 - rev 3

libPNG 1.2.5 stack-based buffer overflow and other code concerns
================================================================

Programs : libpng users including mozilla, konqueror, various e-mail
                   clients, generally lots. Also reports that some versions of
                   IE are vulnerable to some of the problems.
Severity : - A malicious website serving a malicious PNG file could
                     compromise the browsers of visitors.
                   - A malicious PNG could be sent via e-mail and compromise
                     the e-mail viewer of the recipient.
                   - For systems with user-providable images for "face
                     browsers", a local system compromise could be possible via
                     a malicious PNG.
CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
                   CAN-2004-0599
CERT VU#s : VU#388984 (the serious one), VU#236656, VU#160448,
                   VU#477512, VU#817368, VU#286464

This advisory lists code flaws discovered by inspection of the libpng-1.2.5
code. Only the first one has been examined in practice to confirm
exploitability. The other flaws certainly warrant fixing.

A patch which should plug all these issues is appended beneath the advisory.
NOTE! This patch serves as demo purposes for the flaws only. An official
v1.2.6 libpng with an official, slightly different fix will be released by
the libpng team in parallel with this advisory.

1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS
(pngrutil.c)

If a PNG file is of the correct format, a length check on PNG data is missed
prior to filling a buffer on the stack from the PNG data. The exact flaw would
seem to be a logic error; failure to bail out of a function after a warning
condition is hit, here:

      if (!(png_ptr->mode & PNG_HAVE_PLTE))
      {
         /* Should be an error, but we can cope with it */
         png_warning(png_ptr, "Missing PLTE before tRNS");
      }
      else if (length > (png_uint_32)png_ptr->num_palette)
      {
         png_warning(png_ptr, "Incorrect tRNS chunk length");
         png_crc_finish(png_ptr, length);
         return;
      }

We can see, if the first warning condition is hit, the length check is missed
due to the use of an "else if".

A PNG crafted to trip this is available at
http://scary.beasts.org/misc/pngtest_bad.png

It crashes both mozilla and konqueror.
A scarier possibility is targetted exploitation by e-mailing a nasty PNG to
someone who uses a graphical e-mail client to...

Message-ID: <20040804194621.GA2049@xinara.org>
Date: Wed, 4 Aug 2004 21:46:21 +0200
From: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2004-0597, CAN-2004-0598,
	CAN-2004-0599] stack-based buffer overflow and other code concerns

Package: libpng, libpng3
Version: 1.2.5.0-6
Severity: grave
Tags: security upstream woody sarge sid patch
Justification: Remotely exploitable stack-based buffer overrun

http://scary.beasts.org/security/CESA-2004-001.txt :
------------------------------------------------------------------------------
CESA-2004-001 - rev 3

libPNG 1.2.5 stack-based buffer overflow and other code concerns
================================================================

Programs         : libpng users including mozilla, konqueror, various e-mail
                   clients, generally lots. Also reports that some versions of
                   IE are vulnerable to some of the problems.
Severity         : - A malicious website serving a malicious PNG file could
                     compromise the browsers of visitors.
                   - A malicious PNG could be sent via e-mail and compromise
                     the e-mail viewer of the recipient.
                   - For systems with user-providable images for "face
                     browsers", a local system compromise could be possible via
                     a malicious PNG.
CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
                   CAN-2004-0599
CERT VU#s        : VU#388984 (the serious one), VU#236656, VU#160448,
                   VU#477512, VU#817368, VU#286464

This advisory lists code flaws discovered by inspection of the libpng-1.2.5
code. Only the first one has been examined in practice to confirm
exploitability. The other flaws certainly warrant fixing.

A patch which should plug all these issues is appended beneath the advisory.
NOTE! This patch serves as demo purposes for the flaws only. An official
v1.2.6 libpng with an official, slightly different fix will be released by
the libpng team in parallel with this advisory.

1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS
(pngrutil.c)

If a PNG file is of the correct format, a length check on PNG data is missed
prior to filling a buffer on the stack from the PNG data. The exact flaw would
seem to be a logic error; failure to bail out of a function after a warning
condition is hit, here:

if (!(png_ptr->mode & PNG_HAVE_PLTE))
      {
         /* Should be an error, but we can cope with it */
         png_warning(png_ptr, "Missing PLTE before tRNS");
      }
      else if (length > (png_uint_32)png_ptr->num_palette)
      {
         png_warning(png_ptr, "Incorrect tRNS chunk length");
         png_crc_finish(png_ptr, length);
         return;
      }

We can see, if the first warning condition is hit, the length check is missed
due to the use of an "else if".

A PNG crafted to trip this is available at
http://scary.beasts.org/misc/pngtest_bad.png

It crashes both mozilla and konqueror.
A scarier possibility is targetted exploitation by e-mailing a nasty PNG to
someone who uses a graphical e-mail client to decode PNGs with a vulnerable
libpng.

2) Dangerous code in png_handle_sBIT (pngrutil.c) (Similar code in
png_handle_hIST).

Although seemingly not exploitable, there is dangerous code in this function.
It relies on checks scattered elsewhere in the code in order to not overflow
a 4-byte stack buffer. This line here should upper-bound the read onto the
stack to 4 bytes:

png_crc_read(png_ptr, buf, truelen);

3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) (this flaw is
duplicated in multiple other locations).

There are lots of lines such as these in the code:

chunkdata = (png_charp)png_malloc(png_ptr, length + 1);

Where "length" comes from the PNG. If length is set to UINT_MAX then length + 1 will equate to zero, leading to the PNG malloc routines to return NULL and
subsequent access to crash. These lengths are sometimes checked to ensure
they are smaller that INT_MAX, but it is not clear that all code paths perform
this check, i.e. png_push_read_chunk in pngpread.c does not do this check
(this is progressive reading mode as used by browsers).

4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c)

This isn't likely to cause problems in practice, but there's the possibility
of an integer overflow during this allocation:

new_palette.entries = (png_sPLT_entryp)png_malloc(
       png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));

5) Integer overflow in png_read_png (pngread.c)

A PNG with excessive height may cause an integer overflow on a memory
allocation and subsequent crash allocating row pointers. This line is possibly
faulty; I can't see anywhere that enforces a maximum PNG height:

info_ptr->row_pointers = (png_bytepp)png_malloc(png_ptr,
         info_ptr->height * sizeof(png_bytep));

6) Integer overflows during progressive reading.

There are many lines like the following, which are prone to integer overflow:

if (png_ptr->push_length + 4 > png_ptr->buffer_size)

It is not clear how dangerous this is.

7) Other flaws.

There is broad potential for other integer overflows which I have not spotted -
the amount of integer arithmetic surrounding buffer handling is large,
unfortunately.

CESA-2004-001 - rev 3
Chris Evans
chris@scary.beasts.org

[Advertisement: I am interested in moving into a security related field
 full-time. E-mail me to discuss.]

diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h
--- libpng-1.2.5/png.h	2002-10-03 12:32:26.000000000 +0100
+++ libpng-1.2.5.fix/png.h	2004-07-13 23:18:10.000000000 +0100
@@ -835,6 +835,9 @@
 /* Maximum positive integer used in PNG is (2^31)-1 */
 #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
 
+/* Constraints on width, height, (2 ^ 24) - 1*/
+#define PNG_MAX_DIMENSION 16777215
+
 /* These describe the color_type field in png_info. */
 /* color type masks */
 #define PNG_COLOR_MASK_PALETTE    1
diff -ru libpng-1.2.5/pngpread.c libpng-1.2.5.fix/pngpread.c
--- libpng-1.2.5/pngpread.c	2002-10-03 12:32:28.000000000 +0100
+++ libpng-1.2.5.fix/pngpread.c	2004-07-13 23:03:58.000000000 +0100
@@ -209,6 +209,8 @@
 
       png_push_fill_buffer(png_ptr, chunk_length, 4);
       png_ptr->push_length = png_get_uint_32(chunk_length);
+      if (png_ptr->push_length > PNG_MAX_UINT)
+         png_error(png_ptr, "Invalid chunk length.");
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
@@ -638,6 +640,8 @@
 
       png_push_fill_buffer(png_ptr, chunk_length, 4);
       png_ptr->push_length = png_get_uint_32(chunk_length);
+      if (png_ptr->push_length > PNG_MAX_UINT)
+         png_error(png_ptr, "Invalid chunk length.");
 
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c
--- libpng-1.2.5/pngrutil.c	2004-07-13 13:36:37.000000000 +0100
+++ libpng-1.2.5.fix/pngrutil.c	2004-07-13 23:43:02.000000000 +0100
@@ -350,7 +350,11 @@
    png_crc_finish(png_ptr, 0);
 
    width = png_get_uint_32(buf);
+   if (width > PNG_MAX_DIMENSION)
+      png_error(png_ptr, "Width is too large");
    height = png_get_uint_32(buf + 4);
+   if (height > PNG_MAX_DIMENSION)
+      png_error(png_ptr, "Height is too large");
    bit_depth = buf[8];
    color_type = buf[9];
    compression_type = buf[10];
@@ -675,7 +679,7 @@
    else
       truelen = (png_size_t)png_ptr->channels;
 
-   if (length != truelen)
+   if (length != truelen || length > 4)
    {
       png_warning(png_ptr, "Incorrect sBIT chunk length");
       png_crc_finish(png_ptr, length);
@@ -1244,7 +1248,8 @@
          /* Should be an error, but we can cope with it */
          png_warning(png_ptr, "Missing PLTE before tRNS");
       }
-      else if (length > (png_uint_32)png_ptr->num_palette)
+      if (length > (png_uint_32)png_ptr->num_palette ||
+          length > PNG_MAX_PALETTE_LENGTH)
       {
          png_warning(png_ptr, "Incorrect tRNS chunk length");
          png_crc_finish(png_ptr, length);
@@ -1400,7 +1405,7 @@
 void /* PRIVATE */
 png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
 {
-   int num, i;
+   unsigned int num, i;
    png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
 
    png_debug(1, "in png_handle_hIST\n");
@@ -1426,8 +1431,8 @@
       return;
    }
 
-   num = (int)length / 2 ;
-   if (num != png_ptr->num_palette)
+   num = length / 2 ;
+   if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
    {
       png_warning(png_ptr, "Incorrect hIST chunk length");
       png_crc_finish(png_ptr, length);
@@ -2868,6 +2873,9 @@
                png_read_data(png_ptr, chunk_length, 4);
                png_ptr->idat_size = png_get_uint_32(chunk_length);
 
+               if (png_ptr->idat_size > PNG_MAX_UINT)
+                  png_error(png_ptr, "Invalid chunk length.");
+            
                png_reset_crc(png_ptr);
                png_crc_read(png_ptr, png_ptr->chunk_name, 4);
                if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))
------------------------------------------------------------------------------

libpng 1.2.6rc1 (available from http://sourceforge.net/projects/libpng)
addresses part of these issues.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-rc5
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1

Versions of packages libpng12-0 depends on:
ii  libc6                       2.3.2.ds1-14 GNU C Library: Shared libraries an
ii  zlib1g                      1:1.2.1.1-5  compression library - runtime

-- no debconf information
-- 
Obsig: developing a new sig

Revision history for this message

In Debian Bug tracker #263500, Matt Zimmerman (mdz) wrote on 2004-08-04: DSA

#4

The advisory is nearly ready to go out, waiting on one last mips build.

--
- mdz

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-04:

#5

Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 22:51:53 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Subject: Re: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599] stack-based buffer overflow and other code concerns

On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599

Advisories and updated packages are available for
Red Hat: http://freshmeat.net/articles/view/1260/
SuSE: http://freshmeat.net/articles/view/1262/

Ray
--
FUD for dummies by example in 21 days Lesson 3: use braindead analogies.
"Open source raises various security issues. How many banks will tell you
where their cameras are and where their vaults are?"
A Microsoft droid in http://www.zdnet.co.uk/news/1999/47/ns-11895.html

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-04:

#6

Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 14:38:36 -0700
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: DSA

The advisory is nearly ready to go out, waiting on one last mips build.

--
- mdz

Revision history for this message

In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote on 2004-08-05:

#7

tags 263500 - woody
thanks

On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599

Addressed by DSA 536-1.

Ray
--
For those Unix & Linux fanatics who're feeling left out, please forward this
message to everyone you know and delete a bunch of your files at random.
Julian Richardson's response to ILOVEYOU

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-05:

#8

Message-ID: <email address hidden>
Date: Thu, 5 Aug 2004 07:19:04 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Subject: Re: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599] stack-based buffer overflow and other code concerns

tags 263500 - woody
thanks

On Wed, Aug 04, 2004 at 21:46:21 +0200, J.H.M. Dassen (Ray) wrote:
> CAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,
> CAN-2004-0599

Addressed by DSA 536-1.

Ray
--
For those Unix & Linux fanatics who're feeling left out, please forward this
message to everyone you know and delete a bunch of your files at random.
Julian Richardson's response to ILOVEYOU

Revision history for this message

In Debian Bug tracker #263500, Josselin Mouette (joss) wrote on 2004-08-05: Bug#263500: fixed in libpng3 1.2.5.0-7

#9

Download full text (3.6 KiB)

Source: libpng3
Source-Version: 1.2.5.0-7

We believe that the bug you reported is fixed in the latest version of
libpng3, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.5.0-7_i386.udeb
  to pool/main/libp/libpng3/libpng12-0-udeb_1.2.5.0-7_i386.udeb
libpng12-0_1.2.5.0-7_i386.deb
  to pool/main/libp/libpng3/libpng12-0_1.2.5.0-7_i386.deb
libpng12-dev_1.2.5.0-7_i386.deb
  to pool/main/libp/libpng3/libpng12-dev_1.2.5.0-7_i386.deb
libpng3-dev_1.2.5.0-7_all.deb
  to pool/main/libp/libpng3/libpng3-dev_1.2.5.0-7_all.deb
libpng3_1.2.5.0-7.diff.gz
  to pool/main/libp/libpng3/libpng3_1.2.5.0-7.diff.gz
libpng3_1.2.5.0-7.dsc
  to pool/main/libp/libpng3/libpng3_1.2.5.0-7.dsc
libpng3_1.2.5.0-7_all.deb
  to pool/main/libp/libpng3/libpng3_1.2.5.0-7_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <email address hidden> (supplier of updated libpng3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 5 Aug 2004 12:37:32 +0200
Source: libpng3
Binary: libpng3-dev libpng12-dev libpng12-0 libpng12-0-udeb libpng3
Architecture: source all i386
Version: 1.2.5.0-7
Distribution: unstable
Urgency: high
Maintainer: Josselin Mouette <email address hidden>
Changed-By: Josselin Mouette <email address hidden>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
libpng3-dev - PNG library - development, compatibility package
Closes: 263500
Changes:
libpng3 (1.2.5.0-7) unstable; urgency=high
.
   * pngrtran.c: applied upstream patch 4 to fix incorrect calculation of
     buffer offsets [CAN-2004-0768].
   * png.h, pngpread.c, pngrutil.c: patch from Chris Evans
     <email address hidden> to fix several vulnerabilities (closes: #263500):
     + libpng fails to properly check length on PNG data [CAN-2004-0597].
     + libpng "png_handle_sBIT" does not perform proper checks to avoid stack
       buffer overflow [CAN-2004-0597].
     + libpng "png_handle_iCCP" possible NULL-pointer crash
       [CAN-2004-0598].
     + libpng "png_handle_sPLT" possible integer overflow
       [CAN-2004-0599].
     + libpng "png_read_png" does not properly handle a PNG with excessive
       height (integer overflow) [CAN-2004-0599].
     + libpng progressive reading integer overflow [CAN-2004-0599].
Files:
156ff5587d1ca56c3a3c1ec8c8238138 635 libs optional libpng3_1.2.5.0-7.dsc
688f6347dbee0df26e23705185502bca 13820 libs optional libpng3_1.2.5.0-7.diff.gz
c6664206b2830de36ca68835b46f5097 940 libs optional libpng3_1.2.5.0-7_all.deb
2cf77494dd1af5cb1731feed361ebb95 934 libdevel optional libpng3-dev_1.2.5.0-7_all.deb
713dfd2e484f2d762...

Message-Id: <E1BsgGE-0006j6-00@newraff.debian.org>
Date: Thu, 05 Aug 2004 07:18:14 -0400
From: Josselin Mouette <joss@debian.org>
To: 263500-close@bugs.debian.org
Subject: Bug#263500: fixed in libpng3 1.2.5.0-7

Source: libpng3
Source-Version: 1.2.5.0-7

We believe that the bug you reported is fixed in the latest version of
libpng3, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.5.0-7_i386.udeb
  to pool/main/libp/libpng3/libpng12-0-udeb_1.2.5.0-7_i386.udeb
libpng12-0_1.2.5.0-7_i386.deb
  to pool/main/libp/libpng3/libpng12-0_1.2.5.0-7_i386.deb
libpng12-dev_1.2.5.0-7_i386.deb
  to pool/main/libp/libpng3/libpng12-dev_1.2.5.0-7_i386.deb
libpng3-dev_1.2.5.0-7_all.deb
  to pool/main/libp/libpng3/libpng3-dev_1.2.5.0-7_all.deb
libpng3_1.2.5.0-7.diff.gz
  to pool/main/libp/libpng3/libpng3_1.2.5.0-7.diff.gz
libpng3_1.2.5.0-7.dsc
  to pool/main/libp/libpng3/libpng3_1.2.5.0-7.dsc
libpng3_1.2.5.0-7_all.deb
  to pool/main/libp/libpng3/libpng3_1.2.5.0-7_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 263500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated libpng3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  5 Aug 2004 12:37:32 +0200
Source: libpng3
Binary: libpng3-dev libpng12-dev libpng12-0 libpng12-0-udeb libpng3
Architecture: source all i386
Version: 1.2.5.0-7
Distribution: unstable
Urgency: high
Maintainer: Josselin Mouette <joss@debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
 libpng3-dev - PNG library - development, compatibility package
Closes: 263500
Changes: 
 libpng3 (1.2.5.0-7) unstable; urgency=high
 .
   * pngrtran.c: applied upstream patch 4 to fix incorrect calculation of
     buffer offsets [CAN-2004-0768].
   * png.h, pngpread.c, pngrutil.c: patch from Chris Evans
     <chris@scary.beasts.org> to fix several vulnerabilities (closes: #263500):
     + libpng fails to properly check length on PNG data [CAN-2004-0597].
     + libpng "png_handle_sBIT" does not perform proper checks to avoid stack
       buffer overflow [CAN-2004-0597].
     + libpng "png_handle_iCCP" possible NULL-pointer crash
       [CAN-2004-0598].
     + libpng "png_handle_sPLT" possible integer overflow
       [CAN-2004-0599].
     + libpng "png_read_png" does not properly handle a PNG with excessive
       height (integer overflow) [CAN-2004-0599].
     + libpng progressive reading integer overflow [CAN-2004-0599].
Files: 
 156ff5587d1ca56c3a3c1ec8c8238138 635 libs optional libpng3_1.2.5.0-7.dsc
 688f6347dbee0df26e23705185502bca 13820 libs optional libpng3_1.2.5.0-7.diff.gz
 c6664206b2830de36ca68835b46f5097 940 libs optional libpng3_1.2.5.0-7_all.deb
 2cf77494dd1af5cb1731feed361ebb95 934 libdevel optional libpng3-dev_1.2.5.0-7_all.deb
 713dfd2e484f2d762d6864f024ff5eff 110100 libs optional libpng12-0_1.2.5.0-7_i386.deb
 83d090e3cc2782f054aa4680ef3711fa 238510 libdevel optional libpng12-dev_1.2.5.0-7_i386.deb
 4ca10db90ca9d491ce26b8094a8e0ce1 71140 debian-installer optional libpng12-0-udeb_1.2.5.0-7_i386.udeb
package-type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBEhQRrSla4ddfhTMRAroiAKCc8R1qMK+4AZEd1bhZT5b7krtjHwCfVY5z
/yAj+zrbkAfBgBNzAlgfu60=
=UbVb
-----END PGP SIGNATURE-----

Revision history for this message

In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote on 2004-08-05: Re: Bug#263500 acknowledged by developer (Bug#263500: fixed in libpng3 1.2.5.0-7)

#11

reopen 263500
tags 263500 - sid
thanks

On Thu, Aug 05, 2004 at 04:33:16 -0700, Debian Bug Tracking System wrote:
> We believe that the bug you reported is fixed in the latest version of
> libpng3, which is due to be installed in the Debian FTP archive:

This fix still needs to make it into sarge.
--
Obsig: developing a new sig

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-05:

#12

Message-ID: <email address hidden>
Date: Thu, 5 Aug 2004 15:41:24 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Cc: Josselin Mouette <email address hidden>
Subject: Re: Bug#263500 acknowledged by developer (Bug#263500: fixed in libpng3 1.2.5.0-7)

reopen 263500
tags 263500 - sid
thanks

On Thu, Aug 05, 2004 at 04:33:16 -0700, Debian Bug Tracking System wrote:
> We believe that the bug you reported is fixed in the latest version of
> libpng3, which is due to be installed in the Debian FTP archive:

This fix still needs to make it into sarge.
--
Obsig: developing a new sig

Revision history for this message

In Debian Bug tracker #263500, J.H.M. Dassen (Ray) (fsmla) wrote on 2004-08-14:

#13

On Thu, Aug 05, 2004 at 15:41:24 +0200, J.H.M. Dassen (Ray) wrote:
> This fix still needs to make it into sarge.

"libpng3 has the latest version in testing (1.2.5.0-7)"
"libpng has the latest version in testing (1.0.15-6)"
--
Pinky, Are You Pondering What I'm Pondering?
I think so Brain, but if we give peas a chance, won't the lima beans feel
left out?
Pinky and the Brain in "All You Need Is Narf"

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-14:

#14

Message-ID: <email address hidden>
Date: Sat, 14 Aug 2004 19:27:37 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Subject: Re: Bug#263500 acknowledged by developer (Bug#263500: fixed in libpng3 1.2.5.0-7)

On Thu, Aug 05, 2004 at 15:41:24 +0200, J.H.M. Dassen (Ray) wrote:
> This fix still needs to make it into sarge.

"libpng3 has the latest version in testing (1.2.5.0-7)"
"libpng has the latest version in testing (1.0.15-6)"
--
Pinky, Are You Pondering What I'm Pondering?
I think so Brain, but if we give peas a chance, won't the lima beans feel
left out?
Pinky and the Brain in "All You Need Is Narf"

Revision history for this message

Fabio Massimo Di Nitto (fabbione) wrote on 2004-08-17:

#15

We already have the last version with security fixes

Revision history for this message

In Debian Bug tracker #263500, Gabriele Stilli (superenzima) wrote on 2004-08-20: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599]

#16

Package: libpng3
Version: 1.2.5.0-7
Followup-For: Bug #263500

Hi. Are those bugs really solved by the last upgrade?

I've upgraded all the relevant software and libraries to the latest versions
in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:

http://scary.beasts.org/misc/pngtest_bad.png

Whose fault is it? Did I miss something?

Thank you,
Gabriele :-)

ii libpng12-0 1.2.5.0-7 PNG library - runtime

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=it_IT@euro, LC_CTYPE=it_IT@euro (ignored: LC_ALL set to it_IT@euro)

Revision history for this message

In Debian Bug tracker #263500, Josselin Mouette (joss) wrote on 2004-08-20: Re: Bug#263500: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599]

#17

Le vendredi 20 août 2004 à 13:44 +0200, Gabriele Stilli a écrit :
> Package: libpng3
> Version: 1.2.5.0-7
> Followup-For: Bug #263500
>
> Hi. Are those bugs really solved by the last upgrade?
>
> I've upgraded all the relevant software and libraries to the latest versions
> in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:
>
> http://scary.beasts.org/misc/pngtest_bad.png
>
> Whose fault is it? Did I miss something?

See #263612: mozilla uses its own copy of libpng.
--
.''`. Josselin Mouette /\./\
: :' : <email address hidden>
`. `' <email address hidden>
`- Debian GNU/Linux -- The power of freedom

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-20:

#18

Message-Id: <email address hidden>
Date: Fri, 20 Aug 2004 13:44:03 +0200
From: Gabriele Stilli <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599]

Package: libpng3
Version: 1.2.5.0-7
Followup-For: Bug #263500

Hi. Are those bugs really solved by the last upgrade?

I've upgraded all the relevant software and libraries to the latest versions
in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:

http://scary.beasts.org/misc/pngtest_bad.png

Whose fault is it? Did I miss something?

Thank you,
Gabriele :-)

ii libpng12-0 1.2.5.0-7 PNG library - runtime

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=it_IT@euro, LC_CTYPE=it_IT@euro (ignored: LC_ALL set to it_IT@euro)

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-20:

#19

Message-Id: <email address hidden>
Date: Fri, 20 Aug 2004 15:00:16 +0200
From: Josselin Mouette <email address hidden>
To: Gabriele Stilli <email address hidden>, <email address hidden>
Subject: Re: Bug#263500: libpng3: [CAN-2004-0597, CAN-2004-0598,
CAN-2004-0599]

--=-bjqxKlMdyCfVfTpe7a9B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Le vendredi 20 ao=C3=BBt 2004 =C3=A0 13:44 +0200, Gabriele Stilli a =C3=A9c=
rit :
> Package: libpng3
> Version: 1.2.5.0-7
> Followup-For: Bug #263500
>=20
> Hi. Are those bugs really solved by the last upgrade?
>=20
> I've upgraded all the relevant software and libraries to the latest versi=
ons
> in Sarge, but still Galeon and Mozilla keep crashing on the testing PNG:
>=20
> http://scary.beasts.org/misc/pngtest_bad.png
>=20
> Whose fault is it? Did I miss something?

See #263612: mozilla uses its own copy of libpng.
--=20
.''`. Josselin Mouette /\./\
: :' : <email address hidden>
`. `' <email address hidden>
`- Debian GNU/Linux -- The power of freedom

--=-bjqxKlMdyCfVfTpe7a9B
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQBBJfXfrSla4ddfhTMRAl5PAJ9WUZ5GzWI9l159bREFTde3tm8P0gCg7Xo+
WTp+qzQpmhtO5lYv2HAU14k=
=T9Vo
-----END PGP SIGNATURE-----

--=-bjqxKlMdyCfVfTpe7a9B--

Revision history for this message

In Debian Bug tracker #263500, Gabriele Stilli (superenzima) wrote on 2004-08-20: Re: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599]

#20

venerdì 20 agosto 2004, alle 15:00, Josselin Mouette scrive:

> > Whose fault is it? Did I miss something?
>
> See #263612: mozilla uses its own copy of libpng.

Yes, I found it a few hours ago, continuing my investigation for the bug.
Should have thought better before :/

Thank you,
Gabriele :-)

--
http://www-studenti.dm.unipi.it/~stilli/ mailto:<email address hidden>
ICQ UIN: 159169930 [HT] Lothlorien F.C. (51042, VI.381)
Caccole Stellari Website: http://www.caccolestellari.com/
Gruppo Utenti Linux Pisa: http://www.gulp.linux.it/

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-20:

#21

Message-ID: <20040820154824.GA5824@camelot>
Date: Fri, 20 Aug 2004 17:48:24 +0200
From: Gabriele 'LightKnight' Stilli <email address hidden>
To: <email address hidden>
Subject: Re: libpng3: [CAN-2004-0597, CAN-2004-0598, CAN-2004-0599]

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

venerd=EC 20 agosto 2004, alle 15:00, Josselin Mouette scrive:

> > Whose fault is it? Did I miss something?
>=20
> See #263612: mozilla uses its own copy of libpng.

Yes, I found it a few hours ago, continuing my investigation for the bug.
Should have thought better before :/

Thank you,
Gabriele :-)

--=20
http://www-studenti.dm.unipi.it/~stilli/ mailto:<email address hidden>
ICQ UIN: 159169930 [HT] Lothlorien F.C. (51042, VI.381)
Caccole Stellari Website: http://www.caccolestellari.com/
Gruppo Utenti Linux Pisa: http://www.gulp.linux.it/

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBJh1HQMzu5hmEH1wRAtOFAJ0boEgcW7KDRAb26ck4TzC7NWn+0ACfausO
GH8//gFD+hH05gqHjveEL4A=
=koTI
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--

Revision history for this message

Matt Zimmerman (mdz) wrote on 2004-08-23:

#22

*** Bug 7421 has been marked as a duplicate of this bug. ***

Revision history for this message

Matt Zimmerman (mdz) wrote on 2004-08-23:

#23

*** Bug 7359 has been marked as a duplicate of this bug. ***

Bug Watch Updater (bug-watch-updater) on 2006-09-27

Changed in libpng:
status:	Unknown → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	libpng (Debian)	Fix Released	Unknown	debbugs #263500
	libpng (Ubuntu)	Invalid	High	Unassigned

Ubuntu
libpng package

[CAN-2004-0597, CAN-2004-0598, CAN-2004-0599] stack-based buffer overflow and other code concerns

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntulibpng package

[CAN-2004-0597, CAN-2004-0598, CAN-2004-0599] stack-based buffer overflow and other code concerns

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
libpng package