Bug 1045561 (CVE-2013-6954)

In Fedora we have currently libpng 1.6.8.
https://bugzilla.redhat.com/show_bug.cgi?id=1033049
When the BZ for RHEL7 and older will be created than libpng will be patched.

Created mingw-libpng tracking bugs for this issue:

Affects: fedora-19 [bug 1056858]
Affects: fedora-20 [bug 1056859]

Created mingw32-libpng tracking bugs for this issue:

Affects: epel-all [bug 1056860]

Created libpng tracking bugs for this issue:

Affects: fedora-20 [bug 1056853]
Affects: fedora-19 [bug 1056854]

Created libpng10 tracking bugs for this issue:

Affects: fedora-all [bug 1056857]
Affects: epel-6 [bug 1056861]

Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1056856]

Created libpng15 tracking bugs for this issue:

Affects: fedora-20 [bug 1056855]

Does anyone have a reproducer image for the null/empty palette issues, so I can test a fix for libpng10 (which has slightly different code)?

libpng10-1.0.60-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

libpng10-1.0.60-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Created attachment 860584 [details]
tarball with testcase

Had to put the file in a tarball as firefox was trying to preview and crashing as expected.

Upstream tells me that only libpng 1.6.1 to 1.6.7 were affected by this issue.

I've just tried an unpatched libpng 1.0.61 with xv, which had no problem loading the testcase image.

Based on the reproducer posted in comment #19, it seems that this issue only affects libpng-1.6. It does not affect older versions of libpng.

Statement:

Not Vulnerable. This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 5 and 6.

libpng10-1.0.61-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

mingw-libpng-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Analysis:

libgng-1.2:
===========

png_set_PLTE() is called with the values num_palette=0, Later at:

454    if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)

checks the bounds of num_palette, there is no checking for num_palette=0 though.

Then memory is malloced for png_ptr->palette structure at:

 477    png_ptr->palette = (png_colorp)png_calloc(png_ptr,
 478       PNG_MAX_PALETTE_LENGTH * png_sizeof(png_color));

This mallocs 256 * 3 bytes of memory into png_ptr->palette structure, Later at:


 479    png_memcpy(png_ptr->palette, palette, num_palette * png_sizeof(png_color));

Here zero bytes are copied into png_ptr->palette because num_palette = 0, so this memcpy looks like:

png_memcpy(png_ptr->palette, palette, 0)

So png_ptr->palette is filled with 256 * 3 zeros, (due to calloc)

Later when this structure is references in png_do_expand_palette(), the output is zero and there is no crash.


libpng 1.6:
===========

Here in png_set_PLTE() there is a check for num_palette = 0 at:

 523    if ((num_palette > 0 && palette == NULL) ||
 524       (num_palette == 0
 525 #        ifdef PNG_MNG_FEATURES_SUPPORTED
 526             && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
 527 #        endif
 528       ))
 529    {
 530       png_chunk_report(png_ptr, "Invalid palette", PNG_CHUNK_ERROR);
 531       return;
 532    }

So when num_palette is zero, a warning is printed and the function exits, However no memory is malloced for the  png_ptr->palette structure, and its pointing to zero.

Later when its referenced in png_do_expand_palette(), there is a null pointer deref and it crashes.

This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html

OpenJDK upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/df3f9871ee6f

This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html

*** Bug 1106391 has been marked as a duplicate of this bug. ***

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html

This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html