Bug 387431 (CVE-2007-5503)

Summary: CVE-2007-5503 cairo integer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: behdad, cworth, kreilly, mkoci, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=redhat,reported=20071107,public=20071129,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-17 06:20:15 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 387521, 387531    
Bug Blocks:    

Description Josh Bressers 2007-11-16 14:10:48 EST
Peter Valchev from the Google Security Team told the Cairo upstream project of
an integer overflow in the way Cairo decodes PNG image data.  To quote the mail
from Peter:


    As an example, cairo supports creating a new image surface from a PNG
    image file - see cairo-png.c, function
    cairo_image_surface_create_from_png().  It calls read_png(), where the
    input filename is parsed, and memory is allocated to hold the resulting
    surface as follows:

    cairo-png.c: read_png()
    ..
    png_get_IHDR (png, info,
    &png_width, &png_height, &depth,
    &color_type, &interlace, NULL, NULL);
    ..
    pixel_size = 4;
    data = malloc (png_width * png_height * pixel_size);
    ..

    Note that png_width and png_height come from libpng's IHDR. The image
    width and height are restricted in libpng's pngconf.h, and by default the
    restrictions are as follows:
    # define PNG_USER_WIDTH_MAX 1000000L
    # define PNG_USER_HEIGHT_MAX 1000000L

    so any width < 1000000 and height < 1000000 will pass through libpng,
    allowing an integer overflow in cairo's read_png() function above.


The upstream fix can be found here:
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=e49bcde27f88e21d5b8037a0089a226096f6514b
Comment 4 Josh Bressers 2007-11-29 09:32:20 EST
Lifting embargo
Comment 6 Red Hat Product Security 2008-01-17 06:20:15 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1078.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3818
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3913

Comment 7 Fedora Update System 2008-01-18 19:00:26 EST
cairo-1.4.14-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.