Bug 671502 (CVE-2011-0408)

Summary: CVE-2011-0408 libpng: application crash or possible arbitrary code execution in libpng 1.5.0
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rcvalle, tgl, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-21 21:37:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2011-01-21 17:03:14 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0408 to
the following vulnerability:

Name: CVE-2011-0408
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0408
Assigned: 20110111
Reference: ftp://ftp.simplesystems.org/pub/png-group/src/history/libpng-1.5.1beta01-README.txt
Reference: ftp://ftp.simplesystems.org/pub/png-group/src/history/libpng-1.5.1beta01-1.5.0-diff.txt
Reference: http://sourceforge.net/mailarchive/forum.php?thread_name=002b01cbb0e2%24ae636c80%240b2a4580%24%40acm.org&forum_name=png-mng-implement
Reference: http://www.kb.cert.org/vuls/id/643140
Reference: http://securitytracker.com/id?1024955
Reference: http://secunia.com/advisories/42863
Reference: http://www.vupen.com/english/advisories/2011/0080
Reference: http://xforce.iss.net/xforce/xfdb/64637

pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted palette-based PNG image that triggers a
buffer overflow, related to the png_do_expand_palette function, the
png_do_rgb_to_gray function, and an integer underflow.  NOTE: some of
these details are obtained from third party information.
Comment 1 Vincent Danen 2011-01-21 21:37:17 UTC 
When analyzing the patch for this, there are two hunks involved of pngrtran.c:

@@ -2426,9 +2426,9 @@
    int rgb_error = 0;
 
    png_debug(1, "in png_do_rgb_to_gray");
 
-   if (
+   if (!(row_info->color_type & PNG_COLOR_MASK_PALETTE) &&
        (row_info->color_type & PNG_COLOR_MASK_COLOR))
    {
       png_uint_32 rc = png_ptr->rgb_to_gray_red_coeff;
       png_uint_32 gc = png_ptr->rgb_to_gray_green_coeff;
@@ -3777,9 +3777,9 @@
          row_info->pixel_depth = 8;
          row_info->rowbytes = row_width;
       }
 
-      else if (row_info->bit_depth == 8)
+      if (row_info->bit_depth == 8)
       {
          {
             if (trans_alpha != NULL)
             {

From talking with upstream, the first change was to make libpng more robust against internal programming errors.  This change does not correct the flaw itself.  It is also in a private libpng function (png_do_rgb_to_gray()) that cannot be used in a remote attack, nor can it be called by an application.

The second hunk, with the extra "else" fixes this actual bug.

In 1.4 and previous, the second hunk is not relevant as that code does not exist.  The change was made in 1.5.0 in an attempt to simplify a switch statement.  So this flaw only affects 1.5.0, and not any earlier versions of libpng.

Statement:

Not vulnerable. This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 4, 5, or 6.  This issue did not affect the versions of libpng10 as shipped with Red Hat Enterprise Linux 4.