Bug 1198171 (CVE-2015-2158) - CVE-2015-2158 pngcrush: pngcrush_measure_idat() off-by-one error
Summary: CVE-2015-2158 pngcrush: pngcrush_measure_idat() off-by-one error
Status: CLOSED NOTABUG
Alias: CVE-2015-2158
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150128,reported=2...
Keywords: Security
Depends On: 1198174 1198175
Blocks: 1198177
TreeView+ depends on / blocked
 
Reported: 2015-03-03 13:50 UTC by Vasyl Kaigorodov
Modified: 2015-03-09 08:47 UTC (History)
3 users (show)

Fixed In Version: pngcrush 1.7.84
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-06 14:55:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-03-03 13:50:35 UTC
A crash potentially leading to code execution was reported [1] and fixed [2] in pngcrush version 1.7.84.
Upstream commit that fixes this:
http://sourceforge.net/p/pmt/code/ci/a1ce646d00a400fd9ec321ab5cb522f40b7bdfe6/

[1]: http://seclists.org/oss-sec/2015/q1/709
[2]: http://sourceforge.net/p/pmt/news/2015/02/pngcrush-1784-released/

Comment 1 Vasyl Kaigorodov 2015-03-03 13:53:31 UTC
Created pngcrush tracking bugs for this issue:

Affects: fedora-all [bug 1198174]
Affects: epel-all [bug 1198175]

Comment 2 Stefan Cornelius 2015-03-06 14:55:18 UTC
This is an off-by-one error in the "pngcrush_measure_idat()" function in pngcrush.c, introduced by commit http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ in version 1.7.83.

The code in pngcrush line 7405:
if (length < 28)
   for (ib=27; ib >= length; ib--) 
      buff[ib] = 0;

If length is 0, the last iteration will set "ib" to -1, thus buff[ib] = 0; will write outside of the "buff" buffer. I doubt that this can be exploited for anything else than an application crash.

Statement:

This issue did not affect the versions of pngcrush as shipped with Red Hat Enterprise Linux 7.


Note You need to log in before you can comment on or make changes to this bug.