Bug 387431 - (CVE-2007-5503) CVE-2007-5503 cairo integer overflow
CVE-2007-5503 cairo integer overflow
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 387521 387531
  Show dependency treegraph
Reported: 2007-11-16 14:10 EST by Josh Bressers
Modified: 2016-03-04 06:04 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-17 06:20:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-11-16 14:10:48 EST
Peter Valchev from the Google Security Team told the Cairo upstream project of
an integer overflow in the way Cairo decodes PNG image data.  To quote the mail
from Peter:

    As an example, cairo supports creating a new image surface from a PNG
    image file - see cairo-png.c, function
    cairo_image_surface_create_from_png().  It calls read_png(), where the
    input filename is parsed, and memory is allocated to hold the resulting
    surface as follows:

    cairo-png.c: read_png()
    png_get_IHDR (png, info,
    &png_width, &png_height, &depth,
    &color_type, &interlace, NULL, NULL);
    pixel_size = 4;
    data = malloc (png_width * png_height * pixel_size);

    Note that png_width and png_height come from libpng's IHDR. The image
    width and height are restricted in libpng's pngconf.h, and by default the
    restrictions are as follows:
    # define PNG_USER_WIDTH_MAX 1000000L
    # define PNG_USER_HEIGHT_MAX 1000000L

    so any width < 1000000 and height < 1000000 will pass through libpng,
    allowing an integer overflow in cairo's read_png() function above.

The upstream fix can be found here:
Comment 4 Josh Bressers 2007-11-29 09:32:20 EST
Lifting embargo
Comment 6 Red Hat Product Security 2008-01-17 06:20:15 EST
This issue was addressed in:

Red Hat Enterprise Linux:


Comment 7 Fedora Update System 2008-01-18 19:00:26 EST
cairo-1.4.14-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.