Description of problem: http://www.libpng.org/pub/png/libpng.html Several versions of libpng through 1.4.2 (and through 1.2.43 in the older series) contain a bug whereby progressive applications such as web browsers (or the rpng2 demo app included in libpng) could receive an extra row of image data beyond the height reported in the header, potentially leading to an out-of-bounds write to memory (depending on how the application is written) and the possibility of execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site). This vulnerability has been assigned ID CVE-2010-1205 (via Mozilla). An additional memory-leak bug, involving images with malformed sCAL chunks, is also present; it could lead to an application crash (denial of service) when viewing such images. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
If memory serves, firefox is still getting built with its own private copy of libpng, so they;re going to need a separate patch for this.
Yes, mozilla/firefox by default uses a private copy of libpng. A workaround for this bug was checked in yesterday, for mozilla 1.9.1, 1.9.2 and trunk. Mozilla/firefox is not vulnerable to the sCAL memory leak. Libpng-1.4.3 was released last night to address both bugs. Regards, Glenn Randers-Pehrson, PNG/MNG Development Group
(In reply to comment #0) > An additional memory-leak bug, involving images with malformed sCAL chunks, is > also present; it could lead to an application crash (denial of service) when > viewing such images. This second memory leak issue now tracked under it's own, dedicated Red Hat Bugzilla entry: [1] https://bugzilla.redhat.com/show_bug.cgi?id=608644
Created libpng tracking bugs for this issue Affects: fedora-all [bug 609161]
Created mingw32-libpng tracking bugs for this issue Affects: fedora-all [bug 609162]
Looks like this is the commit to fix this issue: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=188eb6b42602bf7d7ae708a21897923b6a83fe7c#patch18
libpng-1.2.44-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc13
libpng-1.2.44-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/libpng-1.2.44-1.fc12
Created attachment 427792 [details] diff -pruNb libpng-1.4.2/pngpread.c libpng-1.4.3/pngpread.c (In reply to comment #11) > (In reply to comment #8) > > Looks like this is the upstream commit to fix this issue: > > > > http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=90cfcecc09febb8d6c8c1d37ea7bb7cf0f4b00f3#patch20 > > That is an upstream "workaround" for the bug which was removed in a later > commit. Our "git" commits show much of our work-in-progress, and there are > 4 or 5 commits involved in solving this bug. The actual fix > can be found by diffing pngpread.c from libpng-1.4.2 and 1.4.3. Glenn, replying to the right bug here. Thanks for that heads up. I'm attaching the diff from libpng-1.4.2 and libpng-1.4.3 here. Looks like it might be a bit of an exercise to backport.
libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0534 https://rhn.redhat.com/errata/RHSA-2010-0534.html
libpng10-1.0.54-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2010:0546 https://rhn.redhat.com/errata/RHSA-2010-0546.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0547 https://rhn.redhat.com/errata/RHSA-2010-0547.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0545 https://rhn.redhat.com/errata/RHSA-2010-0545.html
seamonkey-2.0.6-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.2.7-1.fc13, firefox-3.6.7-1.fc13, mozvoikko-1.0-12.fc13, gnome-web-photo-0.9-10.fc13, perl-Gtk2-MozEmbed-0.08-6.fc13.15, gnome-python2-extras-2.25.3-20.fc13, galeon-2.0.7-30.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
thunderbird-3.0.6-1.fc12, sunbird-1.0-0.23.20090916hg.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-2.0.6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.1.11-1.fc12, firefox-3.5.11-1.fc12, gnome-web-photo-0.9-8.fc12, mozvoikko-1.0-11.fc12, perl-Gtk2-MozEmbed-0.08-6.fc12.14, gnome-python2-extras-2.25.3-19.fc12, galeon-2.0.7-24.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
thunderbird-3.1.1-1.fc13, sunbird-1.0-0.26.b2pre.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mingw32-libpng-1.2.44-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mingw32-libpng-1.2.44-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.