Bug 720608 (CVE-2011-2691) - CVE-2011-2691 libpng: Crash in png_default_error due to use of NULL Pointer
Summary: CVE-2011-2691 libpng: Crash in png_default_error due to use of NULL Pointer
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-2691
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 717086
TreeView+ depends on / blocked
 
Reported: 2011-07-12 09:13 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-24 15:06 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-07-21 07:42:47 UTC
Embargoed:


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2011-07-12 09:13:38 UTC
It was found that in libpng, prior to 1.2.45, the error function 
received a NULL pointer, expressed erroneously as '\0', instead of 
the empty string "".  This error was introduced in libpng-1.2.20, 
and png_default_error() will crash in this case.  

This was be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, 
and libpng-1.0.55.

Patch:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=9dad5e37aef295b4ef8dea39392b652deebc9261

Comment 1 Huzaifa S. Sidhpurwala 2011-07-13 04:42:13 UTC
This has been assigned CVE-2011-2691

Comment 3 Huzaifa S. Sidhpurwala 2011-07-14 09:05:23 UTC
Created libpng tracking bugs for this issue

Affects: fedora-all [bug 721307]

Comment 5 Tom Lane 2011-07-19 14:48:57 UTC
Hmmm .... now that I look more closely, the erroneous code for this is compiled only if PNG_NO_ERROR_TEXT is defined, which it isn't in our builds.  So while this may be an actual problem for some people trying to build minimally-sized embedded copies of libpng, I don't think it's an issue for most distributions.

Comment 7 Huzaifa S. Sidhpurwala 2011-07-21 07:42:32 UTC
This flaw only affects libpng packages which are build with PNG_NO_ERROR_TEXT defined.

Looking at pngconf.h:

 153 #if !defined(PNG_NO_ERROR_EXT) && !defined(PNG_ERROR_TEXT_SUPPORTED)
 154 #  define PNG_ERROR_TEXT_SUPPORTED
 155 #endif

if PNG_NO_ERROR_EXT is defined it causes PNG_ERROR_TEXT_SUPPORTED to be not-defined.

If you now look at the vulnerable code at pngerror.c:

 38 #ifdef PNG_ERROR_TEXT_SUPPORTED
 39 void PNGAPI
 40 png_error(png_structp png_ptr, png_const_charp error_message)
 ...

 86 #else
 87 void PNGAPI
 88 png_err(png_structp png_ptr)
 ..

 95    if (png_ptr != NULL && png_ptr->error_fn != NULL)
 96       (*(png_ptr->error_fn))(png_ptr, "");


102 #endif /* PNG_ERROR_TEXT_SUPPORTED */

We can clearly see that the vulnerable code is not triggered if PNG_NO_ERROR_TEXT is defined.

Packages shipped with Red Hat Enterprise Linux 4, 5, 6 and Fedora 14 and 15 do not have this option enabled and hence are not affected.

Statement:

Not vulnerable. This issue did not affect the versions of libpng as
shipped with Red Hat Enterprise Linux 4, 5, or 6.


Note You need to log in before you can comment on or make changes to this bug.