Bug 671502 (CVE-2011-0408) - CVE-2011-0408 libpng: application crash or possible arbitrary code execution in libpng 1.5.0
Summary: CVE-2011-0408 libpng: application crash or possible arbitrary code execution ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-0408
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-21 17:03 UTC by Vincent Danen
Modified: 2021-03-26 15:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-21 21:37:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2011-01-21 17:03:14 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0408 to
the following vulnerability:

Name: CVE-2011-0408
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0408
Assigned: 20110111
Reference: ftp://ftp.simplesystems.org/pub/png-group/src/history/libpng-1.5.1beta01-README.txt
Reference: ftp://ftp.simplesystems.org/pub/png-group/src/history/libpng-1.5.1beta01-1.5.0-diff.txt
Reference: http://sourceforge.net/mailarchive/forum.php?thread_name=002b01cbb0e2%24ae636c80%240b2a4580%24%40acm.org&forum_name=png-mng-implement
Reference: http://www.kb.cert.org/vuls/id/643140
Reference: http://securitytracker.com/id?1024955
Reference: http://secunia.com/advisories/42863
Reference: http://www.vupen.com/english/advisories/2011/0080
Reference: http://xforce.iss.net/xforce/xfdb/64637

pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted palette-based PNG image that triggers a
buffer overflow, related to the png_do_expand_palette function, the
png_do_rgb_to_gray function, and an integer underflow.  NOTE: some of
these details are obtained from third party information.
Comment 1 Vincent Danen 2011-01-21 21:37:17 UTC 
When analyzing the patch for this, there are two hunks involved of pngrtran.c:

@@ -2426,9 +2426,9 @@
    int rgb_error = 0;
 
    png_debug(1, "in png_do_rgb_to_gray");
 
-   if (
+   if (!(row_info->color_type & PNG_COLOR_MASK_PALETTE) &&
        (row_info->color_type & PNG_COLOR_MASK_COLOR))
    {
       png_uint_32 rc = png_ptr->rgb_to_gray_red_coeff;
       png_uint_32 gc = png_ptr->rgb_to_gray_green_coeff;
@@ -3777,9 +3777,9 @@
          row_info->pixel_depth = 8;
          row_info->rowbytes = row_width;
       }
 
-      else if (row_info->bit_depth == 8)
+      if (row_info->bit_depth == 8)
       {
          {
             if (trans_alpha != NULL)
             {

From talking with upstream, the first change was to make libpng more robust against internal programming errors.  This change does not correct the flaw itself.  It is also in a private libpng function (png_do_rgb_to_gray()) that cannot be used in a remote attack, nor can it be called by an application.

The second hunk, with the extra "else" fixes this actual bug.

In 1.4 and previous, the second hunk is not relevant as that code does not exist.  The change was made in 1.5.0 in an attempt to simplify a switch statement.  So this flaw only affects 1.5.0, and not any earlier versions of libpng.

Statement:

Not vulnerable. This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 4, 5, or 6.  This issue did not affect the versions of libpng10 as shipped with Red Hat Enterprise Linux 4.
Note You need to log in before you can comment on or make changes to this bug.