Bug 486355 (CVE-2009-0040)
| Summary: | CVE-2009-0040 libpng arbitrary free() flaw | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | unspecified | CC: | berrange, bnater, fedora-mingw, jlieskov, jrusnack, kreilly, kseifried, mjc, pasteur, paul, rjones, tgl, vdanen | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://213.203.218.125/l/li/libpng/libpng-1.2.34-ADVISORY.txt | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-09-30 23:41:38 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 487164, 487165, 487166, 487167, 487168, 487169, 487170, 487171, 487172, 537849, 802164 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
Created attachment 332560 [details]
Upstream advisory for posterity
Created attachment 332781 [details]
Upstream patch to fix the issue
mingw32-libpng-1.2.35-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/mingw32-libpng-1.2.35-1.fc10 Thanks for the heads up on this. I have rebuilt the mingw32-libpng package in Rawhide, F-10 and EL-5. Upstream release 1.0.43 addresses this issue for libpng10. Rawhide is already updated, and updates for F-9 and F-10 are currently in updates-testing. https://admin.fedoraproject.org/updates/F9/FEDORA-2009-2045 https://admin.fedoraproject.org/updates/F10/FEDORA-2009-1976 libpng-1.2.35-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. libpng-1.2.35-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. mingw32-libpng-1.2.35-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.43-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.43-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. thunderbird-2.0.0.21-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. thunderbird-2.0.0.21-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |
A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain unlikely error conditions occur. To quote the libpng advisory: If the application runs out of memory during the loop, some of the element pointers will be uninitialized. Libpng will then longjmp to a cleanup process that attempts to free all of the elements in the array, including the uninitialized ones. This behavior could be forced by a malevolent input.