Bug 239425 (CVE-2007-2445) - CVE-2007-2445 libpng png_handle_tRNS flaw
Summary: CVE-2007-2445 libpng png_handle_tRNS flaw
Alias: CVE-2007-2445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 239541 239542 239543
TreeView+ depends on / blocked
Reported: 2007-05-08 12:01 UTC by Mark J. Cox
Modified: 2019-09-29 12:20 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-0356
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-05-17 21:46:14 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0356 normal SHIPPED_LIVE Moderate: libpng security update 2008-01-07 22:10:39 UTC

Description Mark J. Cox 2007-05-08 12:01:54 UTC
"From:    Glenn Randers-Pehrson <glennrp@comcast.net>

A security bug has been reported to mozilla.

It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla.  In my experience it also brought down
my Windows display manager.

The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated.  Since png_ptr->num_trans is nonzero, libpng tries to use
the array later.  Here is the fix, thanks to Mats Palmgren:

At line 1316 of pngrutil.c, change

   if (png_crc_finish(png_ptr, 0))


   if (png_crc_finish(png_ptr, 0))
      png_ptr->num_trans = 0;

Libpng-1.2.17rc1 does not contain this fix."

Allocated CVE-2007-2445
This issue is not currently public


Red Hat would like to thank Glenn Randers-Pehrson, Mats Palmgren, and Tavis Ormandy for supplying details and patches for this issue.

Comment 2 Tom Lane 2007-05-13 15:57:15 UTC
The bug report seems slightly in error: as best I can tell, the failure can only occur with palette-color 
PNGs, not grayscale ones.  (There is a suitable image attached to bug #239542.)

Also, note that merely reading a corrupted file will not induce a crash; the application must ask libpng to 
perform an image transformation that requires use of the transparency information.  I have not been able 
to crash pngtopnm for instance.  However, opening a corrupted file in Firefox crashes.

Comment 3 Mark J. Cox 2007-05-17 08:34:40 UTC
now public, removing embargo

Comment 6 Red Hat Bugzilla 2007-05-17 21:46:14 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.