720607 – (CVE-2011-2690) CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray

Bug 720607 (CVE-2011-2690) - CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray

Summary: CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-2690
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	721303 721304 721305 721306 721307 721309 721310 721311 721312 802166
Blocks:	717086
TreeView+	depends on / blocked

Reported:	2011-07-12 09:09 UTC by Huzaifa S. Sidhpurwala
Modified:	2019-09-29 12:45 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-18 09:00:38 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1104	0	normal	SHIPPED_LIVE	Moderate: libpng security update	2011-07-28 18:11:47 UTC
Red Hat Product Errata	RHSA-2011:1105	0	normal	SHIPPED_LIVE	Moderate: libpng security update	2011-07-28 18:22:47 UTC

Description Huzaifa S. Sidhpurwala 2011-07-12 09:09:27 UTC

libpng overwrites unallocated memory when promoting a paletted image with 
transparency (one channel) to gray-alpha (two channels), only if the 
application calls png_rgb_to_gray() but fails to call png_set_expand().

This bug exists in all released versions of libpng (1.0, 1.2, 1.4 and 1.5).
The data overwritten is entirely controlled by the image data in the PNG file and it is possible to cause any string of data to be written by fabricating an appropriate PNG file.  The amount of overwrite is equal to the row length of the original image. 

This has been fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.

Comment 1 Huzaifa S. Sidhpurwala 2011-07-13 04:41:25 UTC

This has been assigned CVE-2011-2690

Comment 5 Huzaifa S. Sidhpurwala 2011-07-14 09:04:25 UTC

Created libpng tracking bugs for this issue

Affects: fedora-all [bug 721307]

Comment 6 Huzaifa S. Sidhpurwala 2011-07-14 09:04:28 UTC

Created libpng10 tracking bugs for this issue

Affects: fedora-all [bug 721309]
Affects: epel-6 [bug 721310]

Comment 7 Huzaifa S. Sidhpurwala 2011-07-14 09:04:32 UTC

Created mingw32-libpng tracking bugs for this issue

Affects: fedora-all [bug 721311]
Affects: epel-5 [bug 721312]

Comment 13 Tom Lane 2011-07-26 21:54:52 UTC

Further investigation shows that this bug is not aboriginal in libpng, but was introduced in 1.2.9 (and whichever was the contemporary version of 1.0.x).  This means it doesn't exist in RHEL4, where we're still shipping 1.2.7.  Haven't looked yet at the libpng10 situation.

Comment 14 errata-xmlrpc 2011-07-28 18:11:52 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1104 https://rhn.redhat.com/errata/RHSA-2011-1104.html

Comment 15 errata-xmlrpc 2011-07-28 18:22:55 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1105 https://rhn.redhat.com/errata/RHSA-2011-1105.html

Note You need to log in before you can comment on or make changes to this bug.