Red Hat Bugzilla – Bug 720608
CVE-2011-2691 libpng: Crash in png_default_error due to use of NULL Pointer
Last modified: 2011-07-21 03:42:47 EDT
It was found that in libpng, prior to 1.2.45, the error function
received a NULL pointer, expressed erroneously as '\0', instead of
the empty string "". This error was introduced in libpng-1.2.20,
and png_default_error() will crash in this case.
This was be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
This has been assigned CVE-2011-2691
Created libpng tracking bugs for this issue
Affects: fedora-all [bug 721307]
Hmmm .... now that I look more closely, the erroneous code for this is compiled only if PNG_NO_ERROR_TEXT is defined, which it isn't in our builds. So while this may be an actual problem for some people trying to build minimally-sized embedded copies of libpng, I don't think it's an issue for most distributions.
This flaw only affects libpng packages which are build with PNG_NO_ERROR_TEXT defined.
Looking at pngconf.h:
153 #if !defined(PNG_NO_ERROR_EXT) && !defined(PNG_ERROR_TEXT_SUPPORTED)
154 # define PNG_ERROR_TEXT_SUPPORTED
if PNG_NO_ERROR_EXT is defined it causes PNG_ERROR_TEXT_SUPPORTED to be not-defined.
If you now look at the vulnerable code at pngerror.c:
38 #ifdef PNG_ERROR_TEXT_SUPPORTED
39 void PNGAPI
40 png_error(png_structp png_ptr, png_const_charp error_message)
87 void PNGAPI
88 png_err(png_structp png_ptr)
95 if (png_ptr != NULL && png_ptr->error_fn != NULL)
96 (*(png_ptr->error_fn))(png_ptr, "");
102 #endif /* PNG_ERROR_TEXT_SUPPORTED */
We can clearly see that the vulnerable code is not triggered if PNG_NO_ERROR_TEXT is defined.
Packages shipped with Red Hat Enterprise Linux 4, 5, 6 and Fedora 14 and 15 do not have this option enabled and hence are not affected.
Not vulnerable. This issue did not affect the versions of libpng as
shipped with Red Hat Enterprise Linux 4, 5, or 6.