Bug 324711 (CVE-2007-5266) - CVE-2007-5266 libpng DoS / crash in png_set_iCCP
Summary: CVE-2007-5266 libpng DoS / crash in png_set_iCCP
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-5266
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-09 11:16 UTC by Tomas Hoger
Modified: 2021-11-12 19:45 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-16 09:49:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2007-10-09 11:16:51 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5266 to the following vulnerability:

Off-by-one error in ICC profile chunk handling in the png_set_iCCP
function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before
1.2.21 beta1 allows remote attackers to cause a denial of service
(crash) via a crafted PNG image that prevents a name field from being
NULL terminated.

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=5122753600C3E94F87FBDFFCC090D1FF0400EA68%40MERCMBX07.na.sas.com&forum_name=png-mng-implement
http://sourceforge.net/mailarchive/message.php?msg_name=e56ccc8f0709140846k24e9a040r81623783b6b1c00f%40mail.gmail.com
Comment 1 Tomas Hoger 2007-10-09 11:26:04 UTC 
Original fix to this issue is disputed to be incorrect.  Nevertheless, another
CVE id was assigned:

CVE-2007-5267

Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in
pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial
of service (crash) via a crafted PNG image, due to an incorrect fix for
CVE-2007-5266.

References:
http://secunia.com/advisories/27130
http://www.frsirt.com/english/advisories/2007/3391
http://sourceforge.net/mailarchive/message.php?msg_name=3.0.6.32.20071005143158.012ada08%40mail.comcast.net
http://sourceforge.net/mailarchive/forum.php?thread_name=47067C84.7010205%40playstation.sony.com&forum_name=png-mng-implement
Comment 3 Tomas Hoger 2007-10-09 13:41:28 UTC 
Additional info:

libpng versions up to 1.2.18 used following code:

  png_strcpy(new_iccp_name, name);

(strcpy usage seems ok here, as new_iccp_name is allocated few lines above as:
  new_iccp_name = (png_charp)png_malloc_warn(png_ptr, png_strlen(name)+1);
so it has enough space to hold 'name')


libpng version 1.2.19 introduced the problem and changed code to:

  png_strncpy(new_iccp_name, name, png_sizeof(new_iccp_name));

Where png_sizeof(new_iccp_name) is usually 4 or 8, hence new_iccp_name is
usually not properly null-terminated.


libpng version 1.2.21 changed code to:

  png_strncpy(new_iccp_name, name, png_strlen(new_iccp_name)+1);

While this should probably be:

  png_strncpy(new_iccp_name, name, png_strlen(name)+1);


That seems to be changed mentioned on libpng web page: "... but another crash
bug (related to the ICC-profile chunk) remains to be fixed in version 1.2.22"


Code from 1.2.22rc1:

  png_strncpy(new_iccp_name, name, png_strlen(name));
  new_iccp_name[png_strlen(name)] = '\0';
Comment 4 Tomas Hoger 2007-10-15 18:12:13 UTC 
Issues known as CVE-2007-5266 and CVE-2007-5267 only affect libpng versions
1.2.19 and newer.  No version of libpng currently shipped in Red Hat Enterprise
Linux or Fedora is affected by this problem.
Note You need to log in before you can comment on or make changes to this bug.