Red Hat Bugzilla – Bug 671502
CVE-2011-0408 libpng: application crash or possible arbitrary code execution in libpng 1.5.0
Last modified: 2015-08-19 05:03:23 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0408 to the following vulnerability: Name: CVE-2011-0408 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0408 Assigned: 20110111 Reference: ftp://ftp.simplesystems.org/pub/png-group/src/history/libpng-1.5.1beta01-README.txt Reference: ftp://ftp.simplesystems.org/pub/png-group/src/history/libpng-1.5.1beta01-1.5.0-diff.txt Reference: http://sourceforge.net/mailarchive/forum.php?thread_name=002b01cbb0e2%24ae636c80%240b2a4580%24%40acm.org&forum_name=png-mng-implement Reference: http://www.kb.cert.org/vuls/id/643140 Reference: http://securitytracker.com/id?1024955 Reference: http://secunia.com/advisories/42863 Reference: http://www.vupen.com/english/advisories/2011/0080 Reference: http://xforce.iss.net/xforce/xfdb/64637 pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information.
When analyzing the patch for this, there are two hunks involved of pngrtran.c: @@ -2426,9 +2426,9 @@ int rgb_error = 0; png_debug(1, "in png_do_rgb_to_gray"); - if ( + if (!(row_info->color_type & PNG_COLOR_MASK_PALETTE) && (row_info->color_type & PNG_COLOR_MASK_COLOR)) { png_uint_32 rc = png_ptr->rgb_to_gray_red_coeff; png_uint_32 gc = png_ptr->rgb_to_gray_green_coeff; @@ -3777,9 +3777,9 @@ row_info->pixel_depth = 8; row_info->rowbytes = row_width; } - else if (row_info->bit_depth == 8) + if (row_info->bit_depth == 8) { { if (trans_alpha != NULL) { From talking with upstream, the first change was to make libpng more robust against internal programming errors. This change does not correct the flaw itself. It is also in a private libpng function (png_do_rgb_to_gray()) that cannot be used in a remote attack, nor can it be called by an application. The second hunk, with the extra "else" fixes this actual bug. In 1.4 and previous, the second hunk is not relevant as that code does not exist. The change was made in 1.5.0 in an attempt to simplify a switch statement. So this flaw only affects 1.5.0, and not any earlier versions of libpng. Statement: Not vulnerable. This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 4, 5, or 6. This issue did not affect the versions of libpng10 as shipped with Red Hat Enterprise Linux 4.