Bug 504782 (CVE-2009-2042) - CVE-2009-2042 libpng: Interlaced Images Information Disclosure Vulnerability
Summary: CVE-2009-2042 libpng: Interlaced Images Information Disclosure Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2042
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 609917 609918 609919 609921 609922 609926 609928 609929 802165
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-09 12:37 UTC by Tomas Hoger
Modified: 2019-09-29 12:30 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-02 00:08:28 UTC


Attachments (Terms of Use)
1.2.36 change (2.56 KB, patch)
2009-06-09 12:48 UTC, Tomas Hoger
no flags Details | Diff
1.2.37 change (2.71 KB, patch)
2009-06-09 12:48 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0534 normal SHIPPED_LIVE Important: libpng security update 2010-07-14 17:47:47 UTC
Gentoo 272970 None None None Never

Description Tomas Hoger 2009-06-09 12:37:46 UTC
Quoting Secunia advisory SA35346:

  http://secunia.com/advisories/35346/

  A vulnerability has been reported in libpng, which can be exploited
  by malicious people to disclose potentially sensitive information.

  The vulnerability is caused due to an error when processing 1-bit
  interlaced images. This can be exploited to disclose uninitialised
  memory via specially crafted images having widths that are not
  divisible by 8.

  The vulnerability is reported in versions prior to 1.2.37.

Comment 1 Tomas Hoger 2009-06-09 12:43:02 UTC
Upstream page - http://www.libpng.org/pub/png/libpng.html - contains a rather confusing vulnerability warning:

  Vulnerability Warning

  Jeff Phillips reported that several versions of libpng through 1.2.35
  contain an uninitialized-memory-read bug that may have security
  implications. Specifically, 1-bit (2-color) interlaced images whose
  widths are not divisible by 8 may result in several uninitialized bits
  at the end of certain rows in certain interlace passes being returned
  to the user. An application that failed to mask these out-of-bounds
  pixels might display or process them, albeit presumably with benign
  results in most cases. This bug may be fixed in version 1.2.36,
  released 7 May 2009, but the correct fix is in version 1.2.37,
  released 4 June 2009. 

Going though 1.2.35 -> 1.2.36 and 1.2.36 -> 1.2.37 diffs, this probably refers to the following changes:


Changes in 1.2.36:
  +version 1.2.36beta02 [March 21, 2009]
  +  Use png_memset() after png_malloc() of big_row_buf when reading an
  +    interlaced file, to avoid a possible UMR.

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=85f7d0a8d5f45176d8f200e59b0d3002ff0f445d#patch26


Changes in 1.2.37:
  +version 1.2.37beta01 [May 12, 2009]
  +  Fixed inconsistency in pngrutil.c, introduced in libpng-1.2.36.  The
  +    memset() was using "png_ptr->rowbytes" instead of "row_bytes", which
  +    the corresponding png_malloc() uses (Joe Drew).

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=549a5101e7d59bec9af1a4d90afe714ceff5c5dd

Comment 4 Fedora Update System 2009-06-09 13:00:20 UTC
mingw32-libpng-1.2.37-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-1.fc10

Comment 5 Fedora Update System 2009-06-09 13:00:25 UTC
mingw32-libpng-1.2.37-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-1.fc11

Comment 6 Richard W.M. Jones 2009-06-09 13:00:50 UTC
mingw32-libpng packages all done.

Comment 7 Tom Lane 2009-06-09 13:42:38 UTC
Calling this a security issue seems like a bit of a stretch.  You can only read portions of individual bytes, you can't control very well which bytes those are, and the whole thing depends on the application's display code being seriously buggy (i.e. showing garbage pixels on the right side of an image).

Comment 8 Tomas Hoger 2009-06-09 16:14:26 UTC
(In reply to comment #7)
> Calling this a security issue seems like a bit of a stretch.

Yeah, that was reaction too, when seeing upstream announcement.

> You can only read portions of individual bytes, you can't control very
> well which bytes those are, and the whole thing depends on the
> application's display code being seriously buggy (i.e. showing garbage
> pixels on the right side of an image).

I believe applications displaying images using libpng were not really assumed attack vector, as those can only show those leaked bytes to the user running application, so that case is non-issue.  I guess they may have assumed some automated image processing (such as image conversion using ImageMagick's convert, or CUPS printing) as a vector, though even without checking if any such application can return leaked bytes in some output attacker can see and use, the leak seem rather limited, not easily predictable and not too likely to yield any valuable data.

Have you already looked into what application must do wrong to process those garbage pixels at all?

Comment 9 Tom Lane 2009-06-09 16:52:46 UTC
Well, it would have to have  a bug that causes it to process whole bytes (groups of 8 pixels) without regard to the declared image width.  That seems unlikely to escape notice for long so far as "display" actions go.  I suppose the most plausible route for an information leak is if the bytes get shoved directly into some other image file (either an output PNG or some other format with similar representational details), and then the attacker manages to get access to that file.  I think we've previously decided that bugs in PNG-writing applications aren't really grounds for security responses, and this would effectively be in that category.

Comment 10 Vincent Danen 2009-06-12 20:43:18 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2042 to
the following vulnerability:

Name: CVE-2009-2042
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
Assigned: 20090612
Reference: CONFIRM: http://www.libpng.org/pub/png/libpng.html
Reference: BID:35233
Reference: URL: http://www.securityfocus.com/bid/35233
Reference: SECUNIA:35346
Reference: URL: http://secunia.com/advisories/35346
Reference: VUPEN:ADV-2009-1510
Reference: URL: http://www.vupen.com/english/advisories/2009/1510
Reference: XF:libpng-interlaced-image-info-disclosure(50966)
Reference: URL: http://xforce.iss.net/xforce/xfdb/50966

libpng before 1.2.37 does not properly parse 1-bit interlaced images
with width values that are not divisible by 8, which causes libpng to
include uninitialized bits in certain rows of a PNG file and might
allow remote attackers to read portions of sensitive memory via
"out-of-bounds pixels" in the file.

Comment 11 Fedora Update System 2009-06-13 17:56:35 UTC
libpng-1.2.37-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libpng-1.2.37-1.fc10

Comment 12 Fedora Update System 2009-06-13 17:56:40 UTC
libpng-1.2.37-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libpng-1.2.37-1.fc9

Comment 13 Fedora Update System 2009-06-13 17:56:45 UTC
libpng-1.2.37-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libpng-1.2.37-1.fc11

Comment 14 Fedora Update System 2009-06-16 01:20:53 UTC
mingw32-libpng-1.2.37-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2009-06-16 02:29:28 UTC
mingw32-libpng-1.2.37-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2009-06-18 11:38:15 UTC
libpng-1.2.37-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2009-06-18 11:40:50 UTC
libpng-1.2.37-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2009-06-18 11:50:17 UTC
libpng-1.2.37-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 errata-xmlrpc 2010-07-14 17:48:22 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0534 https://rhn.redhat.com/errata/RHSA-2010-0534.html

Comment 22 Kurt Seifried 2011-11-02 00:08:28 UTC
All children bugs have been closed, parent is no longer needed.


Note You need to log in before you can comment on or make changes to this bug.