Bug 720608 - (CVE-2011-2691) CVE-2011-2691 libpng: Crash in png_default_error due to use of NULL Pointer
CVE-2011-2691 libpng: Crash in png_default_error due to use of NULL Pointer
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 717086
  Show dependency treegraph
Reported: 2011-07-12 05:13 EDT by Huzaifa S. Sidhpurwala
Modified: 2011-07-21 03:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-07-21 03:42:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2011-07-12 05:13:38 EDT
It was found that in libpng, prior to 1.2.45, the error function 
received a NULL pointer, expressed erroneously as '\0', instead of 
the empty string "".  This error was introduced in libpng-1.2.20, 
and png_default_error() will crash in this case.  

This was be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, 
and libpng-1.0.55.

Comment 1 Huzaifa S. Sidhpurwala 2011-07-13 00:42:13 EDT
This has been assigned CVE-2011-2691
Comment 3 Huzaifa S. Sidhpurwala 2011-07-14 05:05:23 EDT
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 721307]
Comment 5 Tom Lane 2011-07-19 10:48:57 EDT
Hmmm .... now that I look more closely, the erroneous code for this is compiled only if PNG_NO_ERROR_TEXT is defined, which it isn't in our builds.  So while this may be an actual problem for some people trying to build minimally-sized embedded copies of libpng, I don't think it's an issue for most distributions.
Comment 7 Huzaifa S. Sidhpurwala 2011-07-21 03:42:32 EDT
This flaw only affects libpng packages which are build with PNG_NO_ERROR_TEXT defined.

Looking at pngconf.h:

 153 #if !defined(PNG_NO_ERROR_EXT) && !defined(PNG_ERROR_TEXT_SUPPORTED)
 155 #endif

if PNG_NO_ERROR_EXT is defined it causes PNG_ERROR_TEXT_SUPPORTED to be not-defined.

If you now look at the vulnerable code at pngerror.c:

 39 void PNGAPI
 40 png_error(png_structp png_ptr, png_const_charp error_message)

 86 #else
 87 void PNGAPI
 88 png_err(png_structp png_ptr)

 95    if (png_ptr != NULL && png_ptr->error_fn != NULL)
 96       (*(png_ptr->error_fn))(png_ptr, "");


We can clearly see that the vulnerable code is not triggered if PNG_NO_ERROR_TEXT is defined.

Packages shipped with Red Hat Enterprise Linux 4, 5, 6 and Fedora 14 and 15 do not have this option enabled and hence are not affected.


Not vulnerable. This issue did not affect the versions of libpng as
shipped with Red Hat Enterprise Linux 4, 5, or 6.

Note You need to log in before you can comment on or make changes to this bug.