Bug 1733956 (CVE-2017-12652)

Summary: CVE-2017-12652 libpng: does not check length of chunks against user limit
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: nforro, phracek, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libpng 1.6.32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 21:58:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1744870, 1744871    
Bug Blocks: 1733957    

Description Dhananjay Arunesh 2019-07-29 10:29:44 UTC
A vulnerability was found in libpng before 1.6.32 does not properly check the length of chunks against the user limit.

Reference:
https://github.com/glennrp/libpng/blob/df7e9dae0c4aac63d55361e35709c864fa1b8363/ANNOUNCE

Comment 1 Huzaifa S. Sidhpurwala 2019-07-30 05:48:12 UTC
Upstream commit: https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55

Comment 2 Huzaifa S. Sidhpurwala 2019-08-23 04:41:19 UTC
Analysis:

As per http://www.libpng.org/pub/png/libpng-manual.txt :

"The PNG specification allows the width and height of an image to be as large as 2^31-1 (0x7fffffff), or about 2.147 billion rows and columns. For safety, libpng imposes a default limit of 1 million rows and columns. Larger images will be rejected immediately with a png_error() call. If you wish to change these limits, you can use

   png_set_user_limits(png_ptr, width_max, height_max);

to set your own limits (libpng may reject some very wide images anyway because of potential buffer overflow conditions)."

A flaw was found in libpng where this limit was not checked by the library. This could potentially result in bigger images to be parsed by the library, (bigger sizes than imposed by the user_limit set earlier), which could result in DoS via memory exhaustion.

This seems difficult to exploit, mainly because the attacker needs to be allowed to parse large images via an application compiled against libpng on the affected system.

Comment 6 errata-xmlrpc 2020-09-29 19:43:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3901 https://access.redhat.com/errata/RHSA-2020:3901

Comment 7 Product Security DevOps Team 2020-09-29 21:58:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-12652