Bug 717084 (CVE-2011-2501)

Summary: CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bnater, jlieskov, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libpng 1.4.8beta04 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-18 08:58:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 717509, 717510, 717511, 717512, 717513, 721305, 721306    
Bug Blocks: 717086    

Description Vincent Danen 2011-06-27 22:34:45 UTC 
It was reported [1] that the fix for CVE-2004-0421 in libpng was inadvertently reverted during the 1.2.23 development cycle.  The original flaw could be used to cause a denial of service via a carefully-crafted PNG image.

This would affect all versions of libpng >=1.2.23, including 1.4.x and 1.5.x.

[1] http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement
Comment 1 Vincent Danen 2011-06-27 22:43:19 UTC 
Upstream fix is here:

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
Comment 4 Huzaifa S. Sidhpurwala 2011-06-29 03:44:56 UTC 
This has been assigned CVE-2011-2501:
http://www.openwall.com/lists/oss-security/2011/06/28/16
Comment 5 Huzaifa S. Sidhpurwala 2011-06-29 03:57:52 UTC 
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 717509]
Comment 6 Huzaifa S. Sidhpurwala 2011-06-29 03:57:56 UTC 
Created libpng10 tracking bugs for this issue

Affects: fedora-all [bug 717512]
Affects: epel-6 [bug 717513]
Comment 7 Huzaifa S. Sidhpurwala 2011-06-29 03:58:00 UTC 
Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 717510]
Affects: epel-5 [bug 717511]
Comment 8 Tom Lane 2011-07-14 16:51:08 UTC 
Just for the record, I'm planning to handle this and the other current libpng bugs, in RHEL6, by rebasing from libpng 1.2.44 to 1.2.46.  I've diffed the tarballs and there is essentially no difference except version numbers and the security fixes we want.  Indeed, the entire reason why upstream is still maintaining 1.2.x is to provide security fixes, so it would be a bit discourteous to them to not use their tarballs ...

RHEL5 and back probably can't be handled that way, unfortunately.
Comment 12 errata-xmlrpc 2011-07-28 18:22:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html