This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes

Bug 387431 (CVE-2007-5503)

Summary: CVE-2007-5503 cairo integer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: behdad, cworth, kreilly, mkoci, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=redhat,reported=20071107,public=20071129,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-17 06:20:15 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 387521, 387531    
Bug Blocks:    

Description Josh Bressers 2007-11-16 14:10:48 EST
Peter Valchev from the Google Security Team told the Cairo upstream project of
an integer overflow in the way Cairo decodes PNG image data.  To quote the mail
from Peter:

    As an example, cairo supports creating a new image surface from a PNG
    image file - see cairo-png.c, function
    cairo_image_surface_create_from_png().  It calls read_png(), where the
    input filename is parsed, and memory is allocated to hold the resulting
    surface as follows:

    cairo-png.c: read_png()
    png_get_IHDR (png, info,
    &png_width, &png_height, &depth,
    &color_type, &interlace, NULL, NULL);
    pixel_size = 4;
    data = malloc (png_width * png_height * pixel_size);

    Note that png_width and png_height come from libpng's IHDR. The image
    width and height are restricted in libpng's pngconf.h, and by default the
    restrictions are as follows:
    # define PNG_USER_WIDTH_MAX 1000000L
    # define PNG_USER_HEIGHT_MAX 1000000L

    so any width < 1000000 and height < 1000000 will pass through libpng,
    allowing an integer overflow in cairo's read_png() function above.

The upstream fix can be found here:;a=commitdiff;h=5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360;a=commitdiff;h=e49bcde27f88e21d5b8037a0089a226096f6514b
Comment 4 Josh Bressers 2007-11-29 09:32:20 EST
Lifting embargo
Comment 6 Red Hat Product Security 2008-01-17 06:20:15 EST
This issue was addressed in:

Red Hat Enterprise Linux:


Comment 7 Fedora Update System 2008-01-18 19:00:26 EST
cairo-1.4.14-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.