Bug 1045561 (CVE-2013-6954)
Summary: | CVE-2013-6954 libpng: unhandled zero-length PLTE chunk or NULL palette | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED NOTABUG | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | drizt72, erik-fedora, fedora-mingw, jkoncick, jkurik, jtrowbri, ktietz, le.businessman, lfarkas, paul, pfrields, phracek, rdieter, rjones, squ, thoger | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libpng 1.6.8 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-02-11 05:03:42 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1056853, 1056854, 1056855, 1056856, 1056857, 1056858, 1056859, 1056860, 1056861, 1056863, 1056864 | ||||||
Bug Blocks: | 1045564, 1082776 | ||||||
Attachments: |
|
Description
Vincent Danen
2013-12-20 18:02:47 UTC
In Fedora we have currently libpng 1.6.8. https://bugzilla.redhat.com/show_bug.cgi?id=1033049 When the BZ for RHEL7 and older will be created than libpng will be patched. Created mingw-libpng tracking bugs for this issue: Affects: fedora-19 [bug 1056858] Affects: fedora-20 [bug 1056859] Created mingw32-libpng tracking bugs for this issue: Affects: epel-all [bug 1056860] Created libpng tracking bugs for this issue: Affects: fedora-20 [bug 1056853] Affects: fedora-19 [bug 1056854] Created libpng10 tracking bugs for this issue: Affects: fedora-all [bug 1056857] Affects: epel-6 [bug 1056861] Created libpng12 tracking bugs for this issue: Affects: fedora-all [bug 1056856] Created libpng15 tracking bugs for this issue: Affects: fedora-20 [bug 1056855] Does anyone have a reproducer image for the null/empty palette issues, so I can test a fix for libpng10 (which has slightly different code)? libpng10-1.0.60-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.60-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 860584 [details]
tarball with testcase
Had to put the file in a tarball as firefox was trying to preview and crashing as expected.
Upstream tells me that only libpng 1.6.1 to 1.6.7 were affected by this issue. I've just tried an unpatched libpng 1.0.61 with xv, which had no problem loading the testcase image. Based on the reproducer posted in comment #19, it seems that this issue only affects libpng-1.6. It does not affect older versions of libpng. Statement: Not Vulnerable. This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 5 and 6. libpng10-1.0.61-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. mingw-libpng-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Analysis: libgng-1.2: =========== png_set_PLTE() is called with the values num_palette=0, Later at: 454 if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) checks the bounds of num_palette, there is no checking for num_palette=0 though. Then memory is malloced for png_ptr->palette structure at: 477 png_ptr->palette = (png_colorp)png_calloc(png_ptr, 478 PNG_MAX_PALETTE_LENGTH * png_sizeof(png_color)); This mallocs 256 * 3 bytes of memory into png_ptr->palette structure, Later at: 479 png_memcpy(png_ptr->palette, palette, num_palette * png_sizeof(png_color)); Here zero bytes are copied into png_ptr->palette because num_palette = 0, so this memcpy looks like: png_memcpy(png_ptr->palette, palette, 0) So png_ptr->palette is filled with 256 * 3 zeros, (due to calloc) Later when this structure is references in png_do_expand_palette(), the output is zero and there is no crash. libpng 1.6: =========== Here in png_set_PLTE() there is a check for num_palette = 0 at: 523 if ((num_palette > 0 && palette == NULL) || 524 (num_palette == 0 525 # ifdef PNG_MNG_FEATURES_SUPPORTED 526 && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 527 # endif 528 )) 529 { 530 png_chunk_report(png_ptr, "Invalid palette", PNG_CHUNK_ERROR); 531 return; 532 } So when num_palette is zero, a warning is printed and the function exits, However no memory is malloced for the png_ptr->palette structure, and its pointing to zero. Later when its referenced in png_do_expand_palette(), there is a null pointer deref and it crashes. This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html OpenJDK upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/df3f9871ee6f This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html *** Bug 1106391 has been marked as a duplicate of this bug. *** This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Red Hat Network Satellite Server v 5.5 Red Hat Satellite Server v 5.6 Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html |