Bug 720607 - (CVE-2011-2690) CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray
CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110707,reported=20110707,sou...
: Security
Depends On: 721303 721304 721305 721306 721307 721309 721310 721311 721312 802166
Blocks: 717086
  Show dependency treegraph
 
Reported: 2011-07-12 05:09 EDT by Huzaifa S. Sidhpurwala
Modified: 2015-11-24 09:39 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-18 05:00:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2011-07-12 05:09:27 EDT
libpng overwrites unallocated memory when promoting a paletted image with 
transparency (one channel) to gray-alpha (two channels), only if the 
application calls png_rgb_to_gray() but fails to call png_set_expand().

This bug exists in all released versions of libpng (1.0, 1.2, 1.4 and 1.5).
The data overwritten is entirely controlled by the image data in the PNG file and it is possible to cause any string of data to be written by fabricating an appropriate PNG file.  The amount of overwrite is equal to the row length of the original image. 

This has been fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.
Comment 1 Huzaifa S. Sidhpurwala 2011-07-13 00:41:25 EDT
This has been assigned CVE-2011-2690
Comment 5 Huzaifa S. Sidhpurwala 2011-07-14 05:04:25 EDT
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 721307]
Comment 6 Huzaifa S. Sidhpurwala 2011-07-14 05:04:28 EDT
Created libpng10 tracking bugs for this issue

Affects: fedora-all [bug 721309]
Affects: epel-6 [bug 721310]
Comment 7 Huzaifa S. Sidhpurwala 2011-07-14 05:04:32 EDT
Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 721311]
Affects: epel-5 [bug 721312]
Comment 13 Tom Lane 2011-07-26 17:54:52 EDT
Further investigation shows that this bug is not aboriginal in libpng, but was introduced in 1.2.9 (and whichever was the contemporary version of 1.0.x).  This means it doesn't exist in RHEL4, where we're still shipping 1.2.7.  Haven't looked yet at the libpng10 situation.
Comment 14 errata-xmlrpc 2011-07-28 14:11:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1104 https://rhn.redhat.com/errata/RHSA-2011-1104.html
Comment 15 errata-xmlrpc 2011-07-28 14:22:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html

Note You need to log in before you can comment on or make changes to this bug.