Bug 239425 - (CVE-2007-2445) CVE-2007-2445 libpng png_handle_tRNS flaw
CVE-2007-2445 libpng png_handle_tRNS flaw
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20070505,embargo=yes,source=...
: Security
Depends On: 239541 239542 239543
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-08 08:01 EDT by Mark J. Cox (Product Security)
Modified: 2010-02-23 21:59 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0356
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-17 17:46:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-05-08 08:01:54 EDT
"From:    Glenn Randers-Pehrson <glennrp@comcast.net>

A security bug has been reported to mozilla.

It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla.  In my experience it also brought down
my Windows display manager.

The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated.  Since png_ptr->num_trans is nonzero, libpng tries to use
the array later.  Here is the fix, thanks to Mats Palmgren:

At line 1316 of pngrutil.c, change

   if (png_crc_finish(png_ptr, 0))
      return;

to

   if (png_crc_finish(png_ptr, 0))
   {
      png_ptr->num_trans = 0;
      return;
   }

Libpng-1.2.17rc1 does not contain this fix."

Allocated CVE-2007-2445
This issue is not currently public

Acknowledgements:

Red Hat would like to thank Glenn Randers-Pehrson, Mats Palmgren, and Tavis Ormandy for supplying details and patches for this issue.
Comment 2 Tom Lane 2007-05-13 11:57:15 EDT
The bug report seems slightly in error: as best I can tell, the failure can only occur with palette-color 
PNGs, not grayscale ones.  (There is a suitable image attached to bug #239542.)

Also, note that merely reading a corrupted file will not induce a crash; the application must ask libpng to 
perform an image transformation that requires use of the transparency information.  I have not been able 
to crash pngtopnm for instance.  However, opening a corrupted file in Firefox crashes.
Comment 3 Mark J. Cox (Product Security) 2007-05-17 04:34:40 EDT
now public, removing embargo
Comment 6 Red Hat Bugzilla 2007-05-17 17:46:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0356.html

Note You need to log in before you can comment on or make changes to this bug.