Bug 239425 - (CVE-2007-2445) CVE-2007-2445 libpng png_handle_tRNS flaw
CVE-2007-2445 libpng png_handle_tRNS flaw
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 239541 239542 239543
  Show dependency treegraph
Reported: 2007-05-08 08:01 EDT by Mark J. Cox (Product Security)
Modified: 2010-02-23 21:59 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0356
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-17 17:46:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-05-08 08:01:54 EDT
"From:    Glenn Randers-Pehrson <glennrp@comcast.net>

A security bug has been reported to mozilla.

It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla.  In my experience it also brought down
my Windows display manager.

The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated.  Since png_ptr->num_trans is nonzero, libpng tries to use
the array later.  Here is the fix, thanks to Mats Palmgren:

At line 1316 of pngrutil.c, change

   if (png_crc_finish(png_ptr, 0))


   if (png_crc_finish(png_ptr, 0))
      png_ptr->num_trans = 0;

Libpng-1.2.17rc1 does not contain this fix."

Allocated CVE-2007-2445
This issue is not currently public


Red Hat would like to thank Glenn Randers-Pehrson, Mats Palmgren, and Tavis Ormandy for supplying details and patches for this issue.
Comment 2 Tom Lane 2007-05-13 11:57:15 EDT
The bug report seems slightly in error: as best I can tell, the failure can only occur with palette-color 
PNGs, not grayscale ones.  (There is a suitable image attached to bug #239542.)

Also, note that merely reading a corrupted file will not induce a crash; the application must ask libpng to 
perform an image transformation that requires use of the transparency information.  I have not been able 
to crash pngtopnm for instance.  However, opening a corrupted file in Firefox crashes.
Comment 3 Mark J. Cox (Product Security) 2007-05-17 04:34:40 EDT
now public, removing embargo
Comment 6 Red Hat Bugzilla 2007-05-17 17:46:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.