Bug 1308550 - (CVE-2016-2191) CVE-2016-2191 optipng: Invalid write while processing delta escapes without any boundary checking
CVE-2016-2191 optipng: Invalid write while processing delta escapes without a...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160404,repor...
: Security
Depends On: 1323936 1323937
Blocks: 1308551
  Show dependency treegraph
 
Reported: 2016-02-15 08:41 EST by Adam Mariš
Modified: 2016-07-19 04:18 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 04:18:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-15 08:41:59 EST
An out-of-bounds write vulnerability was reported that occurs when processing bitmap images due to crt_row being inc/dec-remented (depending on whether the image is topdown) while processing delta escapes without any boundary checking.

Vulnerable code (pngxrbmp.c):

| 210 static size_t
| 211 bmp_read_rows(png_bytepp begin_row, png_bytepp end_row, size_t row_size,
| 212 unsigned int compression, FILE *stream)
| 213 {
| ...
| 272 crt_row = begin_row;
| 273 for ( ; ; )
| 274 {
| 275 ch = getc(stream); b1 = (unsigned int)ch;
| 276 ch = getc(stream); b2 = (unsigned int)ch;
| 277 if (ch == EOF)
| 278 break;
| 279 if (b1 == 0) /* escape */
| 280 {
| ...
| 307 else if (b2 == 2) /* delta */
| 308 {
| 309 ch = getc(stream); b1 = (unsigned int)ch; /* horiz. offset */
| 310 ch = getc(stream); b2 = (unsigned int)ch; /* vert. offset */
| ...
| 314 if (b2 > (size_t)((end_row - crt_row) * inc))
| 315 b2 = (unsigned int)((end_row - crt_row) * inc);
| 316 for ( ; b2 > 0; --b2)
| 317 {
| ...
| 319 crt_row += inc;
| ...
| 322 }
| ...
| 324 }
| 325 else /* b2 >= 3 bytes in absolute mode */
| 326 {
| 327 len = (b2 <= endn - crtn) ? b2 : (unsigned int)(endn - crtn);
| 328 if (bmp_fread_fn(*crt_row, crtn, len, stream) != len)
| 329 break;
| 330 crtn += len;
| 331 }
| 332 }
| ...
| 352 }

A delta escape moving crt_row beyond its allocated chunk followed by fread() in absolute mode would, with GNU libc combined with a !topdown image, result in a write to an address based on the specified bitmap height.

Upstream report : https://sourceforge.net/p/optipng/bugs/59/
Patch is merged with CVE-2016-3981, presented as a set of 2 patches :
  -> https://sourceforge.net/p/optipng/bugs/56/#5168
  -> https://sourceforge.net/p/optipng/bugs/56/#d6e6
Comment 3 Andrej Nemec 2016-04-05 02:32:41 EDT
Created optipng tracking bugs for this issue:

Affects: fedora-all [bug 1323936]
Affects: epel-all [bug 1323937]
Comment 4 Andrej Nemec 2016-04-05 02:33:31 EDT
Public via:

http://seclists.org/oss-sec/2016/q2/10
Comment 7 Fedora Update System 2016-06-18 15:01:33 EDT
optipng-0.7.6-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-06-25 19:23:30 EDT
optipng-0.7.6-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Cedric Buissart 2016-07-19 04:16:02 EDT
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.