Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5907 to the following vulnerability: The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907 http://openwall.com/lists/oss-security/2009/01/09/1 http://sourceforge.net/mailarchive/forum.php?thread_name=4B6F0239C13D0245820603C036D180BC79FBAA%40CABOTUKEXCH01.cabot.local&forum_name=png-mng-implement http://libpng.sourceforge.net/index.html Proposed patch from the reporter: This should probably be: (*new_key)[79] = '\0';
This issue affects all version of the libpng package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. This issue affects all versions of the libpng and libpng10 package, as shipped with Fedora releases of 9, 10 and devel. Please fix.
Closing due http://openwall.com/lists/oss-security/2009/01/09/1, overlooked this part :(.
Red Hat does not consider CVE-2008-5907 to be a security vulnerability. The affected function validating the proper format of special keywords in the chunks constructing the whole PNG image file can be used only for writing of such improperly formatted keywords into the particular chunks of resulting PNG image format files, not reading them. Also, in typical usage the keywords being checked would be constant strings in the applications, thus even less likely to trigger the over-length error.