Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 387431 - (CVE-2007-5503) CVE-2007-5503 cairo integer overflow
CVE-2007-5503 cairo integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=redhat,report...
: Security
Depends On: 387521 387531
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-16 14:10 EST by Josh Bressers
Modified: 2016-03-04 06:04 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-17 06:20:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:1078 normal SHIPPED_LIVE Important: cairo security update 2007-11-29 10:38:52 EST

  None (edit)
Description Josh Bressers 2007-11-16 14:10:48 EST 
Peter Valchev from the Google Security Team told the Cairo upstream project of
an integer overflow in the way Cairo decodes PNG image data.  To quote the mail
from Peter:


    As an example, cairo supports creating a new image surface from a PNG
    image file - see cairo-png.c, function
    cairo_image_surface_create_from_png().  It calls read_png(), where the
    input filename is parsed, and memory is allocated to hold the resulting
    surface as follows:

    cairo-png.c: read_png()
    ..
    png_get_IHDR (png, info,
    &png_width, &png_height, &depth,
    &color_type, &interlace, NULL, NULL);
    ..
    pixel_size = 4;
    data = malloc (png_width * png_height * pixel_size);
    ..

    Note that png_width and png_height come from libpng's IHDR. The image
    width and height are restricted in libpng's pngconf.h, and by default the
    restrictions are as follows:
    # define PNG_USER_WIDTH_MAX 1000000L
    # define PNG_USER_HEIGHT_MAX 1000000L

    so any width < 1000000 and height < 1000000 will pass through libpng,
    allowing an integer overflow in cairo's read_png() function above.


The upstream fix can be found here:
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=e49bcde27f88e21d5b8037a0089a226096f6514b
Comment 4 Josh Bressers 2007-11-29 09:32:20 EST 
Lifting embargo
Comment 6 Red Hat Product Security 2008-01-17 06:20:15 EST 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1078.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3818
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3913
Comment 7 Fedora Update System 2008-01-18 19:00:26 EST 
cairo-1.4.14-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.