Ubuntu
libpng package

CVE-2008-1382: libpng zero-length chunks incorrect handling

Bug #217128 reported by Till Ulen
268
Affects Status Importance Assigned to Milestone
libpng (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Undecided
Jamie Strandboge
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jamie Strandboge

Bug Description

From the oCERT advisory:

"Applications using libpng that install unknown chunk handlers, or copy unknown chunks, may be vulnerable to a security issue which may result in incorrect output, information leaks, crashes, or arbitrary code execution.

The issue involves libpng incorrectly handling zero length chunks which results in uninitialized memory affecting the control flow of the application."

Details:
http://www.ocert.org/advisories/ocert-2008-003.html
http://libpng.sourceforge.net/Advisory-1.2.26.txt

From the upstream advisory:

"We believe this is a rare circumstance. It occurs in "pngtest"
that is a part of the libpng distribution, in pngcrush, and in
recent versions of ImageMagick (6.2.5 through 6.4.0-4). We are
not aware of any other vulnerable applications."

Ubuntu might be affected by this issue through ImageMagick version 6.3.7.9 in Hardy, the pngcrush package (in universe) or pngtest.c example in package libpng12-0.

Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

libpng12-0 is part of main in all stable releases.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Intrepid has 1.2.27-1 and is not affected.

Changed in libpng:
status: New → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in libpng:
status: New → Won't Fix
Jamie Strandboge (jdstrand)
Changed in libpng:
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.15~beta5-3ubuntu0.1

---------------
libpng (1.2.15~beta5-3ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #217128)
    - initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
    - CVE-2008-1382
  * SECURITY UPDATE: denial of service via off-by-one error
    - shorten tIME_string to 29 bytes in pngtest.c
    - CVE-2008-3964
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - update pngwutil.c to properly set new_key to NULL string
    - CVE-2008-5907
  * SECURITY UPDATE: denial of service via a crafted PNG image
    - fix for pngset.c to properly check palette size in png_set_hIST
    - CVE-2007-5268
  * SECURITY UPDATE: denial of service via a crafted PNG image
    - fix for pngpread.c and pngrutil.c to properly do bounds checking on read
      operations. Previous version only had a partial fix.
    - CVE-2007-5269

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 06:39:46 -0600

Changed in libpng:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpng - 1.2.15~beta5-2ubuntu0.2

---------------
libpng (1.2.15~beta5-2ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #338027)
    - initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
    - CVE-2009-0040
  * SECURITY UPDATE: denial of service and possible execution of arbitrary
    code via crafted image (LP: #217128)
    - initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
    - CVE-2008-1382
  * SECURITY UPDATE: denial of service via off-by-one error
    - shorten tIME_string to 29 bytes in pngtest.c
    - CVE-2008-3964
  * SECURITY UPDATE: denial of service via incorrect memory assignment
    (LP: #324258)
    - update pngwutil.c to properly set new_key to NULL string
    - CVE-2008-5907

 -- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 07:55:49 -0600

Changed in libpng:
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-730-1

Changed in libpng:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.