Bug 480321 (CVE-2008-5907)

Summary: CVE-2008-5907 libpng,libpng10: Zeroing value of an arbitrary memory location in utilities for writing PNG files
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/mailarchive/forum.php?thread_name=4B6F0239C13D0245820603C036D180BC79FBAA%40CABOTUKEXCH01.cabot.local&forum_name=png-mng-implement
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-16 14:05:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-01-16 13:51:06 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5907 to
the following vulnerability:

The png_check_keyword function in pngwutil.c in libpng before 1.0.42,
and 1.2.x before 1.2.34, might allow context-dependent attackers to
set the value of an arbitrary memory location to zero via vectors
involving creation of crafted PNG files with keywords, related to an
implicit cast of the '\0' character constant to a NULL pointer. NOTE:
some sources incorrectly report this as a double free vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907
http://openwall.com/lists/oss-security/2009/01/09/1
http://sourceforge.net/mailarchive/forum.php?thread_name=4B6F0239C13D0245820603C036D180BC79FBAA%40CABOTUKEXCH01.cabot.local&forum_name=png-mng-implement
http://libpng.sourceforge.net/index.html

Proposed patch from the reporter:
This should probably be:
(*new_key)[79] = '\0';

Comment 1 Jan Lieskovsky 2009-01-16 13:52:31 UTC
This issue affects all version of the libpng package, as shipped 
with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

This issue affects all versions of the libpng and libpng10 package,
as shipped with Fedora releases of 9, 10 and devel.

Please fix.

Comment 2 Jan Lieskovsky 2009-01-16 14:05:19 UTC
Closing due http://openwall.com/lists/oss-security/2009/01/09/1,
overlooked this part :(.

Comment 3 Josh Bressers 2009-02-11 14:14:39 UTC
Red Hat does not consider CVE-2008-5907 to be a security vulnerability.
The affected function validating the proper format of special keywords
in the chunks constructing the whole PNG image file can be used only
for writing of such improperly formatted keywords into the particular
chunks of resulting PNG image format files, not reading them.
Also, in typical usage the keywords being checked would be constant
strings in the applications, thus even less likely to trigger
the over-length error.