Bug 608644 - (CVE-2010-2249) CVE-2010-2249 libpng: Memory leak when processing Physical Scale (sCAL) images
CVE-2010-2249 libpng: Memory leak when processing Physical Scale (sCAL) images
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100625,reported=20100626,sou...
: Security
: 608642 (view as bug list)
Depends On: 609160 609161 609162 609917 609918 609919 609921 609922 609926 609928 609929 802165
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-28 07:24 EDT by Jan Lieskovsky
Modified: 2016-03-04 05:46 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-29 16:28:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-06-28 07:24:07 EDT
A memory leak was found in the way libpng processed malformed Portable Network
Graphics (PNG) images with Physical Scale (sCAL) extension. A remote attacker
could create a specially-crafted PNG image and trick the local user into
opening it in an application, using the libpng library, leading to denial
of service (relevant libpng-based application crash).

References:
  [1] http://www.libpng.org/pub/png/libpng.html

CVE Request:
  [2] http://www.openwall.com/lists/oss-security/2010/06/28/2
Comment 1 Jan Lieskovsky 2010-06-28 07:38:08 EDT
This issue affects the versions of the libpng package, as shipped
with Red Hat Enteprise Linux 3, 4, and 5.

This issue affects the versions of the libpng package, as shipped
with Fedora release of 12 and 13.
Comment 2 Tomas Hoger 2010-06-28 07:46:27 EDT
*** Bug 608642 has been marked as a duplicate of this bug. ***
Comment 3 Glenn Randers-Pehrson 2010-06-28 12:11:22 EDT
A defense for applications that don't need or want the sCAL
chunk is to use the png_set_keep_unknown_chunks() mechanism to ignore
it.  See Mozilla's libpr0n/decoders/png or ImageMagick and
GraphicsMagick's coders/png.c, and pngcrush for examples of this.

It's a good idea for applications to do this because it
reduces resources consumed in reading a PNG, and it reduces their
attack surface by making the application invulnerable to future
vulnerabilities in known but unused chunks such as sCAL.
Comment 4 Jan Lieskovsky 2010-06-29 10:30:31 EDT
CVE identifier of CVE-2010-2249 has been assigned to this.
Comment 6 Jan Lieskovsky 2010-06-29 10:45:28 EDT
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 609161]
Comment 7 Jan Lieskovsky 2010-06-29 10:45:32 EDT
Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 609162]
Comment 8 Vincent Danen 2010-06-29 13:11:28 EDT
Looks like this is the upstream commit to fix this issue:

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20
Comment 9 Vincent Danen 2010-06-29 13:22:13 EDT
This also looks like it would affect libpng10, looking quickly at the code.
Comment 10 Glenn Randers-Pehrson 2010-06-29 13:34:14 EDT
(In reply to comment #9)
> This also looks like it would affect libpng10, looking quickly at the code.    

Yes, it does.  Upstream has declared end-of-life for libpng10 and does
not plan any more updates, even for security, as announced back in
February.  If that is a hardship, you can complain to png-mng-implemement at
lists.sf.net, explain why you still need libpng10, and we might revisit the
decision.

We also plan to abandon libpng12 at the end of 2010.
Comment 11 Glenn Randers-Pehrson 2010-06-29 13:36:59 EDT
(In reply to comment #8)
> Looks like this is the upstream commit to fix this issue:
> 
> http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20

That is an upstream "workaround" for the bug which was removed in a later commit.  Our "git" commits show much of our work-in-progress, and there are
4 or 5 commits involved in solving this bug.  The actual fix
can be found by diffing pngpread.c from libpng-1.4.2 and 1.4.3.
Comment 12 Glenn Randers-Pehrson 2010-06-29 13:43:12 EDT
(In reply to comment #8)
> Looks like this is the upstream commit to fix this issue:
> 
> http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20    

Yes.  This commit contains the changes to pngrutil.c that fix the sCAL
chunk memory leak.
Comment 13 Glenn Randers-Pehrson 2010-06-29 13:44:43 EDT
(In reply to comment #11)
> (In reply to comment #8)

> That is an upstream "workaround" for the bug which was removed in a later
> commit.  Our "git" commits show much of our work-in-progress, and there are
> 4 or 5 commits involved in solving this bug.  The actual fix
> can be found by diffing pngpread.c from libpng-1.4.2 and 1.4.3.    

Sorry, this comment is about the other bug (the extra-row problem).
Comment 14 Fedora Update System 2010-06-29 15:19:43 EDT
libpng-1.2.44-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc13
Comment 15 Fedora Update System 2010-06-29 15:19:54 EDT
libpng-1.2.44-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc12
Comment 16 Vincent Danen 2010-06-29 16:54:43 EDT
(In reply to comment #10)
> Yes, it does.  Upstream has declared end-of-life for libpng10 and does
> not plan any more updates, even for security, as announced back in
> February.  If that is a hardship, you can complain to png-mng-implemement at
> lists.sf.net, explain why you still need libpng10, and we might revisit the
> decision.
>
> We also plan to abandon libpng12 at the end of 2010.

We have libpng10 packages in Red Hat Enterprise Linux 3 and 4, used by things like gnome-libs (both) and Gtk-Perl, gimp (RHEL3-only), so we have to support libpng10 until those distributions reach end-of-life.

It isn't necessarily a hardship, but other vendors may be in the same position with regards to supporting libpng10 and libpng12 (we will be supporting libpng12 for many years to come yet).  Abandoning libpng12 at the end of this year might be something we should bring up (perhaps some kind of maintenance for security issues alone).

Thanks for that information.
Comment 19 Fedora Update System 2010-07-01 14:36:29 EDT
libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2010-07-05 18:07:45 EDT
libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 errata-xmlrpc 2010-07-14 13:48:29 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0534 https://rhn.redhat.com/errata/RHSA-2010-0534.html
Comment 24 Fedora Update System 2010-07-20 18:45:45 EDT
libpng10-1.0.54-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2010-07-26 22:49:52 EDT
mingw32-libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2010-07-26 22:50:17 EDT
mingw32-libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.