Bug 720607 (CVE-2011-2690)

Summary: CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bnater, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-18 09:00:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 721303, 721304, 721305, 721306, 721307, 721309, 721310, 721311, 721312, 802166    
Bug Blocks: 717086    

Description Huzaifa S. Sidhpurwala 2011-07-12 09:09:27 UTC 
libpng overwrites unallocated memory when promoting a paletted image with 
transparency (one channel) to gray-alpha (two channels), only if the 
application calls png_rgb_to_gray() but fails to call png_set_expand().

This bug exists in all released versions of libpng (1.0, 1.2, 1.4 and 1.5).
The data overwritten is entirely controlled by the image data in the PNG file and it is possible to cause any string of data to be written by fabricating an appropriate PNG file.  The amount of overwrite is equal to the row length of the original image. 

This has been fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.
Comment 1 Huzaifa S. Sidhpurwala 2011-07-13 04:41:25 UTC 
This has been assigned CVE-2011-2690
Comment 5 Huzaifa S. Sidhpurwala 2011-07-14 09:04:25 UTC 
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 721307]
Comment 6 Huzaifa S. Sidhpurwala 2011-07-14 09:04:28 UTC 
Created libpng10 tracking bugs for this issue

Affects: fedora-all [bug 721309]
Affects: epel-6 [bug 721310]
Comment 7 Huzaifa S. Sidhpurwala 2011-07-14 09:04:32 UTC 
Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 721311]
Affects: epel-5 [bug 721312]
Comment 13 Tom Lane 2011-07-26 21:54:52 UTC 
Further investigation shows that this bug is not aboriginal in libpng, but was introduced in 1.2.9 (and whichever was the contemporary version of 1.0.x).  This means it doesn't exist in RHEL4, where we're still shipping 1.2.7.  Haven't looked yet at the libpng10 situation.
Comment 14 errata-xmlrpc 2011-07-28 18:11:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1104 https://rhn.redhat.com/errata/RHSA-2011-1104.html
Comment 15 errata-xmlrpc 2011-07-28 18:22:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html