461599 – (CVE-2008-3964) CVE-2008-3964 libpng: off-by-one error in png_push_read_zTXt()

Bug 461599 (CVE-2008-3964) - CVE-2008-3964 libpng: off-by-one error in png_push_read_zTXt()

Summary: CVE-2008-3964 libpng: off-by-one error in png_push_read_zTXt()

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3964
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	461620
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-09 11:47 UTC by Tomas Hoger
Modified:	2021-11-12 19:52 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-10 07:33:01 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2008-09-09 11:47:09 UTC

libpng upstream version 1.2.32beta01 fixes an insufficient memory allocation flaw in the "png_push_read_zTXt()" function in pngpread.c, that results in a write of once null byte past the end of allocated buffer.

References:
http://sourceforge.net/project/shownotes.php?release_id=624518
http://www.openwall.com/lists/oss-security/2008/09/09/3

Upstream bug report:
http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624

As noted in the upstream bug report, this issue was introduced upstream in libpng-1.2.30beta04 and currently only affect 1.2.31 as available in Fedora Rawhide.  Versions of libpng as shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5 are not affected by this flaw.

Comment 3 Tomas Hoger 2008-09-10 07:33:01 UTC

Fixed now in Fedora Rawhide, no other affected product -> closing.

Note You need to log in before you can comment on or make changes to this bug.