Bug 608644 (CVE-2010-2249)

Summary: CVE-2010-2249 libpng: Memory leak when processing Physical Scale (sCAL) images
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, bnater, caillon, erik-fedora, fedora-mingw, glennrp+bmo, lfarkas, rjones, stransky, tgl, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-29 20:28:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 609160, 609161, 609162, 609917, 609918, 609919, 609921, 609922, 609926, 609928, 609929, 802165    
Bug Blocks:    

Description Jan Lieskovsky 2010-06-28 11:24:07 UTC
A memory leak was found in the way libpng processed malformed Portable Network
Graphics (PNG) images with Physical Scale (sCAL) extension. A remote attacker
could create a specially-crafted PNG image and trick the local user into
opening it in an application, using the libpng library, leading to denial
of service (relevant libpng-based application crash).

References:
  [1] http://www.libpng.org/pub/png/libpng.html

CVE Request:
  [2] http://www.openwall.com/lists/oss-security/2010/06/28/2

Comment 1 Jan Lieskovsky 2010-06-28 11:38:08 UTC
This issue affects the versions of the libpng package, as shipped
with Red Hat Enteprise Linux 3, 4, and 5.

This issue affects the versions of the libpng package, as shipped
with Fedora release of 12 and 13.

Comment 2 Tomas Hoger 2010-06-28 11:46:27 UTC
*** Bug 608642 has been marked as a duplicate of this bug. ***

Comment 3 Glenn Randers-Pehrson 2010-06-28 16:11:22 UTC
A defense for applications that don't need or want the sCAL
chunk is to use the png_set_keep_unknown_chunks() mechanism to ignore
it.  See Mozilla's libpr0n/decoders/png or ImageMagick and
GraphicsMagick's coders/png.c, and pngcrush for examples of this.

It's a good idea for applications to do this because it
reduces resources consumed in reading a PNG, and it reduces their
attack surface by making the application invulnerable to future
vulnerabilities in known but unused chunks such as sCAL.

Comment 4 Jan Lieskovsky 2010-06-29 14:30:31 UTC
CVE identifier of CVE-2010-2249 has been assigned to this.

Comment 6 Jan Lieskovsky 2010-06-29 14:45:28 UTC
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 609161]

Comment 7 Jan Lieskovsky 2010-06-29 14:45:32 UTC
Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 609162]

Comment 8 Vincent Danen 2010-06-29 17:11:28 UTC
Looks like this is the upstream commit to fix this issue:

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20

Comment 9 Vincent Danen 2010-06-29 17:22:13 UTC
This also looks like it would affect libpng10, looking quickly at the code.

Comment 10 Glenn Randers-Pehrson 2010-06-29 17:34:14 UTC
(In reply to comment #9)
> This also looks like it would affect libpng10, looking quickly at the code.    

Yes, it does.  Upstream has declared end-of-life for libpng10 and does
not plan any more updates, even for security, as announced back in
February.  If that is a hardship, you can complain to png-mng-implemement at
lists.sf.net, explain why you still need libpng10, and we might revisit the
decision.

We also plan to abandon libpng12 at the end of 2010.

Comment 11 Glenn Randers-Pehrson 2010-06-29 17:36:59 UTC
(In reply to comment #8)
> Looks like this is the upstream commit to fix this issue:
> 
> http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20

That is an upstream "workaround" for the bug which was removed in a later commit.  Our "git" commits show much of our work-in-progress, and there are
4 or 5 commits involved in solving this bug.  The actual fix
can be found by diffing pngpread.c from libpng-1.4.2 and 1.4.3.

Comment 12 Glenn Randers-Pehrson 2010-06-29 17:43:12 UTC
(In reply to comment #8)
> Looks like this is the upstream commit to fix this issue:
> 
> http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20    

Yes.  This commit contains the changes to pngrutil.c that fix the sCAL
chunk memory leak.

Comment 13 Glenn Randers-Pehrson 2010-06-29 17:44:43 UTC
(In reply to comment #11)
> (In reply to comment #8)

> That is an upstream "workaround" for the bug which was removed in a later
> commit.  Our "git" commits show much of our work-in-progress, and there are
> 4 or 5 commits involved in solving this bug.  The actual fix
> can be found by diffing pngpread.c from libpng-1.4.2 and 1.4.3.    

Sorry, this comment is about the other bug (the extra-row problem).

Comment 14 Fedora Update System 2010-06-29 19:19:43 UTC
libpng-1.2.44-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc13

Comment 15 Fedora Update System 2010-06-29 19:19:54 UTC
libpng-1.2.44-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc12

Comment 16 Vincent Danen 2010-06-29 20:54:43 UTC
(In reply to comment #10)
> Yes, it does.  Upstream has declared end-of-life for libpng10 and does
> not plan any more updates, even for security, as announced back in
> February.  If that is a hardship, you can complain to png-mng-implemement at
> lists.sf.net, explain why you still need libpng10, and we might revisit the
> decision.
>
> We also plan to abandon libpng12 at the end of 2010.

We have libpng10 packages in Red Hat Enterprise Linux 3 and 4, used by things like gnome-libs (both) and Gtk-Perl, gimp (RHEL3-only), so we have to support libpng10 until those distributions reach end-of-life.

It isn't necessarily a hardship, but other vendors may be in the same position with regards to supporting libpng10 and libpng12 (we will be supporting libpng12 for many years to come yet).  Abandoning libpng12 at the end of this year might be something we should bring up (perhaps some kind of maintenance for security issues alone).

Thanks for that information.

Comment 19 Fedora Update System 2010-07-01 18:36:29 UTC
libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2010-07-05 22:07:45 UTC
libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 errata-xmlrpc 2010-07-14 17:48:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0534 https://rhn.redhat.com/errata/RHSA-2010-0534.html

Comment 24 Fedora Update System 2010-07-20 22:45:45 UTC
libpng10-1.0.54-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2010-07-27 02:49:52 UTC
mingw32-libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2010-07-27 02:50:17 UTC
mingw32-libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.