Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5266 to the following vulnerability: Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image that prevents a name field from being NULL terminated. References: http://sourceforge.net/mailarchive/forum.php?thread_name=5122753600C3E94F87FBDFFCC090D1FF0400EA68%40MERCMBX07.na.sas.com&forum_name=png-mng-implement http://sourceforge.net/mailarchive/message.php?msg_name=e56ccc8f0709140846k24e9a040r81623783b6b1c00f%40mail.gmail.com
Original fix to this issue is disputed to be incorrect. Nevertheless, another CVE id was assigned: CVE-2007-5267 Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image, due to an incorrect fix for CVE-2007-5266. References: http://secunia.com/advisories/27130 http://www.frsirt.com/english/advisories/2007/3391 http://sourceforge.net/mailarchive/message.php?msg_name=3.0.6.32.20071005143158.012ada08%40mail.comcast.net http://sourceforge.net/mailarchive/forum.php?thread_name=47067C84.7010205%40playstation.sony.com&forum_name=png-mng-implement
Additional info: libpng versions up to 1.2.18 used following code: png_strcpy(new_iccp_name, name); (strcpy usage seems ok here, as new_iccp_name is allocated few lines above as: new_iccp_name = (png_charp)png_malloc_warn(png_ptr, png_strlen(name)+1); so it has enough space to hold 'name') libpng version 1.2.19 introduced the problem and changed code to: png_strncpy(new_iccp_name, name, png_sizeof(new_iccp_name)); Where png_sizeof(new_iccp_name) is usually 4 or 8, hence new_iccp_name is usually not properly null-terminated. libpng version 1.2.21 changed code to: png_strncpy(new_iccp_name, name, png_strlen(new_iccp_name)+1); While this should probably be: png_strncpy(new_iccp_name, name, png_strlen(name)+1); That seems to be changed mentioned on libpng web page: "... but another crash bug (related to the ICC-profile chunk) remains to be fixed in version 1.2.22" Code from 1.2.22rc1: png_strncpy(new_iccp_name, name, png_strlen(name)); new_iccp_name[png_strlen(name)] = '\0';
Issues known as CVE-2007-5266 and CVE-2007-5267 only affect libpng versions 1.2.19 and newer. No version of libpng currently shipped in Red Hat Enterprise Linux or Fedora is affected by this problem.