Bug 1733956 (CVE-2017-12652)
Summary: | CVE-2017-12652 libpng: does not check length of chunks against user limit | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | nforro, phracek, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libpng 1.6.32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 21:58:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1744870, 1744871 | ||
Bug Blocks: | 1733957 |
Description
Dhananjay Arunesh
2019-07-29 10:29:44 UTC
Analysis: As per http://www.libpng.org/pub/png/libpng-manual.txt : "The PNG specification allows the width and height of an image to be as large as 2^31-1 (0x7fffffff), or about 2.147 billion rows and columns. For safety, libpng imposes a default limit of 1 million rows and columns. Larger images will be rejected immediately with a png_error() call. If you wish to change these limits, you can use png_set_user_limits(png_ptr, width_max, height_max); to set your own limits (libpng may reject some very wide images anyway because of potential buffer overflow conditions)." A flaw was found in libpng where this limit was not checked by the library. This could potentially result in bigger images to be parsed by the library, (bigger sizes than imposed by the user_limit set earlier), which could result in DoS via memory exhaustion. This seems difficult to exploit, mainly because the attacker needs to be allowed to parse large images via an application compiled against libpng on the affected system. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3901 https://access.redhat.com/errata/RHSA-2020:3901 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-12652 |