Red Hat Bugzilla – Bug 480321
CVE-2008-5907 libpng,libpng10: Zeroing value of an arbitrary memory location in utilities for writing PNG files
Last modified: 2014-08-20 12:25:36 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5907 to
the following vulnerability:
The png_check_keyword function in pngwutil.c in libpng before 1.0.42,
and 1.2.x before 1.2.34, might allow context-dependent attackers to
set the value of an arbitrary memory location to zero via vectors
involving creation of crafted PNG files with keywords, related to an
implicit cast of the '\0' character constant to a NULL pointer. NOTE:
some sources incorrectly report this as a double free vulnerability.
Proposed patch from the reporter:
This should probably be:
(*new_key) = '\0';
This issue affects all version of the libpng package, as shipped
with Red Hat Enterprise Linux 2.1, 3, 4, and 5.
This issue affects all versions of the libpng and libpng10 package,
as shipped with Fedora releases of 9, 10 and devel.
Closing due http://openwall.com/lists/oss-security/2009/01/09/1,
overlooked this part :(.
Red Hat does not consider CVE-2008-5907 to be a security vulnerability.
The affected function validating the proper format of special keywords
in the chunks constructing the whole PNG image file can be used only
for writing of such improperly formatted keywords into the particular
chunks of resulting PNG image format files, not reading them.
Also, in typical usage the keywords being checked would be constant
strings in the applications, thus even less likely to trigger
the over-length error.