Bug 324711 - (CVE-2007-5266) CVE-2007-5266 libpng DoS / crash in png_set_iCCP
CVE-2007-5266 libpng DoS / crash in png_set_iCCP
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20071008,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-09 07:16 EDT by Tomas Hoger
Modified: 2007-10-16 05:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-16 05:49:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-10-09 07:16:51 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5266 to the following vulnerability:

Off-by-one error in ICC profile chunk handling in the png_set_iCCP
function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before
1.2.21 beta1 allows remote attackers to cause a denial of service
(crash) via a crafted PNG image that prevents a name field from being
NULL terminated.

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=5122753600C3E94F87FBDFFCC090D1FF0400EA68%40MERCMBX07.na.sas.com&forum_name=png-mng-implement
http://sourceforge.net/mailarchive/message.php?msg_name=e56ccc8f0709140846k24e9a040r81623783b6b1c00f%40mail.gmail.com
Comment 1 Tomas Hoger 2007-10-09 07:26:04 EDT
Original fix to this issue is disputed to be incorrect.  Nevertheless, another
CVE id was assigned:

CVE-2007-5267

Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in
pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial
of service (crash) via a crafted PNG image, due to an incorrect fix for
CVE-2007-5266.

References:
http://secunia.com/advisories/27130
http://www.frsirt.com/english/advisories/2007/3391
http://sourceforge.net/mailarchive/message.php?msg_name=3.0.6.32.20071005143158.012ada08%40mail.comcast.net
http://sourceforge.net/mailarchive/forum.php?thread_name=47067C84.7010205%40playstation.sony.com&forum_name=png-mng-implement
Comment 3 Tomas Hoger 2007-10-09 09:41:28 EDT
Additional info:

libpng versions up to 1.2.18 used following code:

  png_strcpy(new_iccp_name, name);

(strcpy usage seems ok here, as new_iccp_name is allocated few lines above as:
  new_iccp_name = (png_charp)png_malloc_warn(png_ptr, png_strlen(name)+1);
so it has enough space to hold 'name')


libpng version 1.2.19 introduced the problem and changed code to:

  png_strncpy(new_iccp_name, name, png_sizeof(new_iccp_name));

Where png_sizeof(new_iccp_name) is usually 4 or 8, hence new_iccp_name is
usually not properly null-terminated.


libpng version 1.2.21 changed code to:

  png_strncpy(new_iccp_name, name, png_strlen(new_iccp_name)+1);

While this should probably be:

  png_strncpy(new_iccp_name, name, png_strlen(name)+1);


That seems to be changed mentioned on libpng web page: "... but another crash
bug (related to the ICC-profile chunk) remains to be fixed in version 1.2.22"


Code from 1.2.22rc1:

  png_strncpy(new_iccp_name, name, png_strlen(name));
  new_iccp_name[png_strlen(name)] = '\0';
Comment 4 Tomas Hoger 2007-10-15 14:12:13 EDT
Issues known as CVE-2007-5266 and CVE-2007-5267 only affect libpng versions
1.2.19 and newer.  No version of libpng currently shipped in Red Hat Enterprise
Linux or Fedora is affected by this problem.

Note You need to log in before you can comment on or make changes to this bug.