Bug 720607 (CVE-2011-2690) - CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray
Summary: CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray
Status: CLOSED ERRATA
Alias: CVE-2011-2690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110707,reported=20110707,sou...
Keywords: Security
Depends On: 721303 721304 721305 721306 721307 721309 721310 721311 721312 802166
Blocks: 717086
TreeView+ depends on / blocked
 
Reported: 2011-07-12 09:09 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-06-08 18:52 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-07-18 09:00:38 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1104 normal SHIPPED_LIVE Moderate: libpng security update 2011-07-28 18:11:47 UTC
Red Hat Product Errata RHSA-2011:1105 normal SHIPPED_LIVE Moderate: libpng security update 2011-07-28 18:22:47 UTC

Description Huzaifa S. Sidhpurwala 2011-07-12 09:09:27 UTC
libpng overwrites unallocated memory when promoting a paletted image with 
transparency (one channel) to gray-alpha (two channels), only if the 
application calls png_rgb_to_gray() but fails to call png_set_expand().

This bug exists in all released versions of libpng (1.0, 1.2, 1.4 and 1.5).
The data overwritten is entirely controlled by the image data in the PNG file and it is possible to cause any string of data to be written by fabricating an appropriate PNG file.  The amount of overwrite is equal to the row length of the original image. 

This has been fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.

Comment 1 Huzaifa S. Sidhpurwala 2011-07-13 04:41:25 UTC
This has been assigned CVE-2011-2690

Comment 5 Huzaifa S. Sidhpurwala 2011-07-14 09:04:25 UTC
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 721307]

Comment 6 Huzaifa S. Sidhpurwala 2011-07-14 09:04:28 UTC
Created libpng10 tracking bugs for this issue

Affects: fedora-all [bug 721309]
Affects: epel-6 [bug 721310]

Comment 7 Huzaifa S. Sidhpurwala 2011-07-14 09:04:32 UTC
Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 721311]
Affects: epel-5 [bug 721312]

Comment 13 Tom Lane 2011-07-26 21:54:52 UTC
Further investigation shows that this bug is not aboriginal in libpng, but was introduced in 1.2.9 (and whichever was the contemporary version of 1.0.x).  This means it doesn't exist in RHEL4, where we're still shipping 1.2.7.  Haven't looked yet at the libpng10 situation.

Comment 14 errata-xmlrpc 2011-07-28 18:11:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1104 https://rhn.redhat.com/errata/RHSA-2011-1104.html

Comment 15 errata-xmlrpc 2011-07-28 18:22:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html


Note You need to log in before you can comment on or make changes to this bug.