Bug 720608 (CVE-2011-2691)

Summary: CVE-2011-2691 libpng: Crash in png_default_error due to use of NULL Pointer
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bnater, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 07:42:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 717086    

Description Huzaifa S. Sidhpurwala 2011-07-12 09:13:38 UTC 
It was found that in libpng, prior to 1.2.45, the error function 
received a NULL pointer, expressed erroneously as '\0', instead of 
the empty string "".  This error was introduced in libpng-1.2.20, 
and png_default_error() will crash in this case.  

This was be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, 
and libpng-1.0.55.

Patch:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=9dad5e37aef295b4ef8dea39392b652deebc9261
Comment 1 Huzaifa S. Sidhpurwala 2011-07-13 04:42:13 UTC 
This has been assigned CVE-2011-2691
Comment 3 Huzaifa S. Sidhpurwala 2011-07-14 09:05:23 UTC 
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 721307]
Comment 5 Tom Lane 2011-07-19 14:48:57 UTC 
Hmmm .... now that I look more closely, the erroneous code for this is compiled only if PNG_NO_ERROR_TEXT is defined, which it isn't in our builds.  So while this may be an actual problem for some people trying to build minimally-sized embedded copies of libpng, I don't think it's an issue for most distributions.
Comment 7 Huzaifa S. Sidhpurwala 2011-07-21 07:42:32 UTC 
This flaw only affects libpng packages which are build with PNG_NO_ERROR_TEXT defined.

Looking at pngconf.h:

 153 #if !defined(PNG_NO_ERROR_EXT) && !defined(PNG_ERROR_TEXT_SUPPORTED)
 154 #  define PNG_ERROR_TEXT_SUPPORTED
 155 #endif

if PNG_NO_ERROR_EXT is defined it causes PNG_ERROR_TEXT_SUPPORTED to be not-defined.

If you now look at the vulnerable code at pngerror.c:

 38 #ifdef PNG_ERROR_TEXT_SUPPORTED
 39 void PNGAPI
 40 png_error(png_structp png_ptr, png_const_charp error_message)
 ...

 86 #else
 87 void PNGAPI
 88 png_err(png_structp png_ptr)
 ..

 95    if (png_ptr != NULL && png_ptr->error_fn != NULL)
 96       (*(png_ptr->error_fn))(png_ptr, "");


102 #endif /* PNG_ERROR_TEXT_SUPPORTED */

We can clearly see that the vulnerable code is not triggered if PNG_NO_ERROR_TEXT is defined.

Packages shipped with Red Hat Enterprise Linux 4, 5, 6 and Fedora 14 and 15 do not have this option enabled and hence are not affected.

Statement:

Not vulnerable. This issue did not affect the versions of libpng as
shipped with Red Hat Enterprise Linux 4, 5, or 6.