Bug 1608800 – CVE-2018-14550 libpng: Stack-based buffer overflow in contrib/pngminus/pnm2png.c:get_token() potentially leading to arbitrary code execution

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1608800 - (CVE-2018-14550) CVE-2018-14550 libpng: Stack-based buffer overflow in contrib/pngminus/pnm2png.c:get_token() potentially leading to arbitrary code execution

Summary:	CVE-2018-14550 libpng: Stack-based buffer overflow in contrib/pngminus/pnm2pn...

Status:	CLOSED NOTABUG

Aliases:	CVE-2018-14550

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180721,repor...
Keywords:	Security

Depends On:	1608807 1608809 1608803 1608804 1608805 1608806 1608808 1608810 1608855
Blocks:	1608081
	Show dependency tree / graph

Reported:	2018-07-26 06:04 EDT by Adam Mariš
Modified:	2018-10-18 05:34 EDT (History)
CC List:	18 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-10-18 05:34:51 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2018-07-26 06:04:25 EDT

Stack-based buffer overflow in contrib/pngminus/pnm2png.c:get_token() function in libpng was found, possibly leading to arbitrary code execution when processing untrusted input.

Upstream bug:

https://github.com/glennrp/libpng/issues/246

Comment 1 Adam Mariš 2018-07-26 06:05:40 EDT

Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1608803]


Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1608810]
Affects: fedora-all [bug 1608804]


Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1608805]


Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1608806]


Created mingw-libpng tracking bugs for this issue:

Affects: epel-7 [bug 1608809]
Affects: fedora-all [bug 1608807]

Comment 4 Adam Mariš 2018-07-26 07:53:58 EDT

Statement:

This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include the vulnerable code.

Comment 5 Adam Mariš 2018-10-18 05:11:10 EDT

get_token() function parses provided pnm file and stores data into char array provided as argument. These arrays are allocated on stack with fixed size of 16 in pnm2png() function from where the get_token() function is called. There is no size check due to which the buffer overflow is possible. This vulnerability lies in third-party utility pnm2png which is not distributed with libpng and libpng12 packages in RHEL 5, 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.