Bug 480321 - (CVE-2008-5907) CVE-2008-5907 libpng,libpng10: Zeroing value of an arbitrary memory location in utilities for writing PNG files
CVE-2008-5907 libpng,libpng10: Zeroing value of an arbitrary memory location ...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://sourceforge.net/mailarchive/fo...
reported=20090115,public=20081126,imp...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-16 08:51 EST by Jan Lieskovsky
Modified: 2014-08-20 12:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-16 09:05:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-01-16 08:51:06 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5907 to
the following vulnerability:

The png_check_keyword function in pngwutil.c in libpng before 1.0.42,
and 1.2.x before 1.2.34, might allow context-dependent attackers to
set the value of an arbitrary memory location to zero via vectors
involving creation of crafted PNG files with keywords, related to an
implicit cast of the '\0' character constant to a NULL pointer. NOTE:
some sources incorrectly report this as a double free vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907
http://openwall.com/lists/oss-security/2009/01/09/1
http://sourceforge.net/mailarchive/forum.php?thread_name=4B6F0239C13D0245820603C036D180BC79FBAA%40CABOTUKEXCH01.cabot.local&forum_name=png-mng-implement
http://libpng.sourceforge.net/index.html

Proposed patch from the reporter:
This should probably be:
(*new_key)[79] = '\0';
Comment 1 Jan Lieskovsky 2009-01-16 08:52:31 EST
This issue affects all version of the libpng package, as shipped 
with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

This issue affects all versions of the libpng and libpng10 package,
as shipped with Fedora releases of 9, 10 and devel.

Please fix.
Comment 2 Jan Lieskovsky 2009-01-16 09:05:19 EST
Closing due http://openwall.com/lists/oss-security/2009/01/09/1,
overlooked this part :(.
Comment 3 Josh Bressers 2009-02-11 09:14:39 EST
Red Hat does not consider CVE-2008-5907 to be a security vulnerability.
The affected function validating the proper format of special keywords
in the chunks constructing the whole PNG image file can be used only
for writing of such improperly formatted keywords into the particular
chunks of resulting PNG image format files, not reading them.
Also, in typical usage the keywords being checked would be constant
strings in the applications, thus even less likely to trigger
the over-length error.

Note You need to log in before you can comment on or make changes to this bug.