Bug 239425 (CVE-2007-2445) - CVE-2007-2445 libpng png_handle_tRNS flaw
Summary: CVE-2007-2445 libpng png_handle_tRNS flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-2445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 239541 239542 239543
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-08 12:01 UTC by Mark J. Cox
Modified: 2019-09-29 12:20 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-0356
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-17 21:46:14 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0356 normal SHIPPED_LIVE Moderate: libpng security update 2008-01-07 22:10:39 UTC

Description Mark J. Cox 2007-05-08 12:01:54 UTC
"From:    Glenn Randers-Pehrson <glennrp@comcast.net>

A security bug has been reported to mozilla.

It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla.  In my experience it also brought down
my Windows display manager.

The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated.  Since png_ptr->num_trans is nonzero, libpng tries to use
the array later.  Here is the fix, thanks to Mats Palmgren:

At line 1316 of pngrutil.c, change

   if (png_crc_finish(png_ptr, 0))
      return;

to

   if (png_crc_finish(png_ptr, 0))
   {
      png_ptr->num_trans = 0;
      return;
   }

Libpng-1.2.17rc1 does not contain this fix."

Allocated CVE-2007-2445
This issue is not currently public

Acknowledgements:

Red Hat would like to thank Glenn Randers-Pehrson, Mats Palmgren, and Tavis Ormandy for supplying details and patches for this issue.

Comment 2 Tom Lane 2007-05-13 15:57:15 UTC
The bug report seems slightly in error: as best I can tell, the failure can only occur with palette-color 
PNGs, not grayscale ones.  (There is a suitable image attached to bug #239542.)

Also, note that merely reading a corrupted file will not induce a crash; the application must ask libpng to 
perform an image transformation that requires use of the transparency information.  I have not been able 
to crash pngtopnm for instance.  However, opening a corrupted file in Firefox crashes.

Comment 3 Mark J. Cox 2007-05-17 08:34:40 UTC
now public, removing embargo

Comment 6 Red Hat Bugzilla 2007-05-17 21:46:14 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0356.html



Note You need to log in before you can comment on or make changes to this bug.