Bug 216706 - CVE-2006-5793 libpng, libpng10 DoS
CVE-2006-5793 libpng, libpng10 DoS
Product: Fedora
Classification: Fedora
Component: libpng (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom Lane
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-11-21 11:55 EST by Ville Skyttä
Modified: 2013-07-02 23:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-12 11:27:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2006-11-21 11:55:00 EST
+++ This bug was initially created as a clone of Bug #215405 +++

Tavis Ormandy told vendor-sec about a OOB memory read flaw in libpng.  This flaw
is a denial of service flaw.

quoting the mail from Tavis:

    Hello, there's a typo in the sPLT chunk handling code in libpng,
    potentially resulting in an OOB read. AFAICT, the extent of the
    vulnerability is denial of service, but would appreciate a second pair
    of eyes to verify.

    Around line ~983 of pngset.c, in png_set_sPLT()

    to->entries =3D (png_sPLT_entryp)png_malloc(png_ptr,=20
        from->nentries * png_sizeof(png_sPLT_t));

    should be `png_sizeof(png_sPLT_entry)`

    and the same on this line:

    png_memcpy(to->entries, from->entries,
        from->nentries * png_sizeof(png_sPLT_t));

This issue also affects RHEL2.1 and RHEL3

-- Additional comment from bressers@redhat.com on 2006-11-14 16:28 EST --
This issue is now public:


Possibly affected: libpng in FC5, FC6, and devel, and libpng10 in FC5. 
(libpng10 in Extras has been updated, see bug 216263)
Comment 1 Tom Lane 2007-02-12 11:27:08 EST
libpng is updated to 1.2.16 for Fedora 7.  As per bz #211705, the security issue
is not considered serious enough to warrant back-patching.

Note You need to log in before you can comment on or make changes to this bug.