Bug 690200 (CVE-2006-7244, CVE-2009-5063) - libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)
Summary: libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded p...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2006-7244, CVE-2009-5063
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-23 15:03 UTC by Jan Lieskovsky
Modified: 2021-02-24 16:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-07 20:06:56 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-03-23 15:03:25 UTC
A memory leak was found in the way libpng, PNG image format files
manipulating library, processed image files with negative length
of embedded International Color Consortium (ICC) profile chunk.
A remote attacker could provide a specially-crafted JPEG image
format file and trick the local user into opening it with an
application linked against libpng, which would result in
denial of service (excessive memory consumption or that particular
application crash).

References:
[1] http://www.openwall.com/lists/oss-security/2011/03/22/7 (CVE Request)

Comment 2 Jan Lieskovsky 2011-03-23 15:08:41 UTC
This issue did NOT affect the version of the libpng10 package, as shipped
with Red Hat Enterprise Linux 4.

This issue did NOT affect the versions of the libpng package, as shipped
with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue did NOT affect the versions of the libpng10 package, as shipped
with Fedora release of 13 and 14 and as present within EPEL-6 repository,
as they already contain a fix for the issue.

This issue did NOT affect the versions of the libpng package, as shipped
with Fedora release of 13 and 14, as they already include the fix for
the issue.

Comment 3 Paul Howarth 2011-03-23 15:17:09 UTC
For completeness, it's also worth noting that there is no EPEL-5 package of libpng10, nor was it shipped with Red Hat Enterprise Linux 5.

Comment 4 Tom Lane 2011-03-23 15:44:20 UTC
In the current RHEL4 and RHEL5 packages, the embedded profile length is simply ignored.  While that might be a bug in itself, there's no security impact AFAICS.

Comment 5 Josh Bressers 2011-04-07 20:03:23 UTC
Statement:

These flaws do not affect any version of libpng shipped with Red Hat Enterprise Linux.


Note You need to log in before you can comment on or make changes to this bug.