Bug 608238 (CVE-2010-1205)

Summary: CVE-2010-1205 libpng: out-of-bounds memory write
Product: [Other] Security Response Reporter: Kurt Seifried <kurt>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bressers, ddumas, glennrp+bmo, hhorak, jlieskov, stransky, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.libpng.org/pub/png/libpng.html
Whiteboard: public=20100625,reported=20100626,source=internet,impact=important,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-3/libpng=affected,rhel-4/libpng=affected,rhel-5/libpng=affected,rhel-6/libpng=notaffected,fedora-all/libpng=affected,fedora-all/mingw32-libpng=affected,fedora-all/libpng10=affected,rhel-3/libpng10=affected,rhel-4/libpng10=affected,rhel-5/firefox=affected/impact=critical,rhel-4/firefox=affected/impact=critical,rhel-4/seamonkey=affected/impact=critical,rhel-3/seamonkey=affected/impact=critical,rhel-5/thunderbird=affected/impact=critical
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-30 14:45:42 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 609160, 609161, 609162, 609917, 609918, 609919, 609921, 609922, 609926, 609928, 609929, 802165    
Bug Blocks:    
Attachments:
Description Flags
diff -pruNb libpng-1.4.2/pngpread.c libpng-1.4.3/pngpread.c none

Description Kurt Seifried 2010-06-26 05:39:51 EDT
Description of problem:

http://www.libpng.org/pub/png/libpng.html

Several versions of libpng through 1.4.2 (and through 1.2.43 in the older series) contain a bug whereby progressive applications such as web browsers (or the rpng2 demo app included in libpng) could receive an extra row of image data beyond the height reported in the header, potentially leading to an out-of-bounds write to memory (depending on how the application is written) and the possibility of execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site). This vulnerability has been assigned ID CVE-2010-1205  (via Mozilla).

An additional memory-leak bug, involving images with malformed sCAL chunks, is also present; it could lead to an application crash (denial of service) when viewing such images. 



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tom Lane 2010-06-26 08:27:05 EDT
If memory serves, firefox is still getting built with its own private copy of libpng, so they;re going to need a separate patch for this.
Comment 2 Glenn Randers-Pehrson 2010-06-26 11:28:08 EDT
Yes, mozilla/firefox by default uses a private copy of libpng.  A workaround for this bug was checked in yesterday, for mozilla 1.9.1, 1.9.2 and trunk.  Mozilla/firefox is not vulnerable to the sCAL memory leak.

Libpng-1.4.3 was released last night to address both bugs.

Regards, Glenn Randers-Pehrson, PNG/MNG Development Group
Comment 7 Jan Lieskovsky 2010-06-28 07:40:16 EDT
(In reply to comment #0)
> An additional memory-leak bug, involving images with malformed sCAL chunks, is
> also present; it could lead to an application crash (denial of service) when
> viewing such images. 

This second memory leak issue now tracked under it's own, dedicated
Red Hat Bugzilla entry:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=608644
Comment 11 Jan Lieskovsky 2010-06-29 11:17:27 EDT
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 609161]
Comment 12 Jan Lieskovsky 2010-06-29 11:17:29 EDT
Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 609162]
Comment 15 Fedora Update System 2010-06-29 15:19:49 EDT
libpng-1.2.44-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc13
Comment 16 Fedora Update System 2010-06-29 15:20:00 EDT
libpng-1.2.44-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc12
Comment 18 Vincent Danen 2010-06-29 16:46:45 EDT
Created attachment 427792 [details]
diff -pruNb libpng-1.4.2/pngpread.c libpng-1.4.3/pngpread.c

(In reply to comment #11)
> (In reply to comment #8)
> > Looks like this is the upstream commit to fix this issue:
> > 
> > http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20
> 
> That is an upstream "workaround" for the bug which was removed in a later
> commit.  Our "git" commits show much of our work-in-progress, and there are
> 4 or 5 commits involved in solving this bug.  The actual fix
> can be found by diffing pngpread.c from libpng-1.4.2 and 1.4.3.    

Glenn, replying to the right bug here.

Thanks for that heads up.  I'm attaching the diff from libpng-1.4.2 and libpng-1.4.3 here.  Looks like it might be a bit of an exercise to backport.
Comment 23 Fedora Update System 2010-07-01 14:36:35 EDT
libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2010-07-05 18:07:53 EDT
libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 errata-xmlrpc 2010-07-14 13:48:14 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0534 https://rhn.redhat.com/errata/RHSA-2010-0534.html
Comment 29 Fedora Update System 2010-07-20 18:45:32 EDT
libpng10-1.0.54-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 errata-xmlrpc 2010-07-20 20:43:06 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2010:0546 https://rhn.redhat.com/errata/RHSA-2010-0546.html
Comment 31 errata-xmlrpc 2010-07-20 21:09:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0547 https://rhn.redhat.com/errata/RHSA-2010-0547.html
Comment 32 errata-xmlrpc 2010-07-20 21:19:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0545 https://rhn.redhat.com/errata/RHSA-2010-0545.html
Comment 33 Fedora Update System 2010-07-22 22:30:53 EDT
seamonkey-2.0.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2010-07-22 22:36:19 EDT
xulrunner-1.9.2.7-1.fc13, firefox-3.6.7-1.fc13, mozvoikko-1.0-12.fc13, gnome-web-photo-0.9-10.fc13, perl-Gtk2-MozEmbed-0.08-6.fc13.15, gnome-python2-extras-2.25.3-20.fc13, galeon-2.0.7-30.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2010-07-22 22:40:37 EDT
thunderbird-3.0.6-1.fc12, sunbird-1.0-0.23.20090916hg.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2010-07-22 22:42:33 EDT
seamonkey-2.0.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 37 Fedora Update System 2010-07-22 22:46:17 EDT
xulrunner-1.9.1.11-1.fc12, firefox-3.5.11-1.fc12, gnome-web-photo-0.9-8.fc12, mozvoikko-1.0-11.fc12, perl-Gtk2-MozEmbed-0.08-6.fc12.14, gnome-python2-extras-2.25.3-19.fc12, galeon-2.0.7-24.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 38 Fedora Update System 2010-07-22 22:48:11 EDT
thunderbird-3.1.1-1.fc13, sunbird-1.0-0.26.b2pre.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 39 Fedora Update System 2010-07-26 22:49:57 EDT
mingw32-libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 40 Fedora Update System 2010-07-26 22:50:25 EDT
mingw32-libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.