It was found that in libpng, prior to 1.2.45, the error function received a NULL pointer, expressed erroneously as '\0', instead of the empty string "". This error was introduced in libpng-1.2.20, and png_default_error() will crash in this case. This was be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55. Patch: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=9dad5e37aef295b4ef8dea39392b652deebc9261
This has been assigned CVE-2011-2691
Created libpng tracking bugs for this issue Affects: fedora-all [bug 721307]
Hmmm .... now that I look more closely, the erroneous code for this is compiled only if PNG_NO_ERROR_TEXT is defined, which it isn't in our builds. So while this may be an actual problem for some people trying to build minimally-sized embedded copies of libpng, I don't think it's an issue for most distributions.
This flaw only affects libpng packages which are build with PNG_NO_ERROR_TEXT defined. Looking at pngconf.h: 153 #if !defined(PNG_NO_ERROR_EXT) && !defined(PNG_ERROR_TEXT_SUPPORTED) 154 # define PNG_ERROR_TEXT_SUPPORTED 155 #endif if PNG_NO_ERROR_EXT is defined it causes PNG_ERROR_TEXT_SUPPORTED to be not-defined. If you now look at the vulnerable code at pngerror.c: 38 #ifdef PNG_ERROR_TEXT_SUPPORTED 39 void PNGAPI 40 png_error(png_structp png_ptr, png_const_charp error_message) ... 86 #else 87 void PNGAPI 88 png_err(png_structp png_ptr) .. 95 if (png_ptr != NULL && png_ptr->error_fn != NULL) 96 (*(png_ptr->error_fn))(png_ptr, ""); 102 #endif /* PNG_ERROR_TEXT_SUPPORTED */ We can clearly see that the vulnerable code is not triggered if PNG_NO_ERROR_TEXT is defined. Packages shipped with Red Hat Enterprise Linux 4, 5, 6 and Fedora 14 and 15 do not have this option enabled and hence are not affected. Statement: Not vulnerable. This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 4, 5, or 6.