Bug 1608800 (CVE-2018-14550) - CVE-2018-14550 libpng: Stack-based buffer overflow in contrib/pngminus/pnm2png.c:get_token() potentially leading to arbitrary code execution
Summary: CVE-2018-14550 libpng: Stack-based buffer overflow in contrib/pngminus/pnm2pn...
Status: CLOSED NOTABUG
Alias: CVE-2018-14550
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180721,repor...
Keywords: Security
Depends On: 1608807 1608809 1608803 1608804 1608805 1608806 1608808 1608810 1608855
Blocks: 1608081
TreeView+ depends on / blocked
 
Reported: 2018-07-26 10:04 UTC by Adam Mariš
Modified: 2018-10-18 09:34 UTC (History)
18 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-10-18 09:34:51 UTC


Attachments (Terms of Use)

Description Adam Mariš 2018-07-26 10:04:25 UTC
Stack-based buffer overflow in contrib/pngminus/pnm2png.c:get_token() function in libpng was found, possibly leading to arbitrary code execution when processing untrusted input.

Upstream bug:

https://github.com/glennrp/libpng/issues/246

Comment 1 Adam Mariš 2018-07-26 10:05:40 UTC
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1608803]


Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1608810]
Affects: fedora-all [bug 1608804]


Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1608805]


Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1608806]


Created mingw-libpng tracking bugs for this issue:

Affects: epel-7 [bug 1608809]
Affects: fedora-all [bug 1608807]

Comment 4 Adam Mariš 2018-07-26 11:53:58 UTC
Statement:

This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include the vulnerable code.

Comment 5 Adam Mariš 2018-10-18 09:11:10 UTC
get_token() function parses provided pnm file and stores data into char array provided as argument. These arrays are allocated on stack with fixed size of 16 in pnm2png() function from where the get_token() function is called. There is no size check due to which the buffer overflow is possible. This vulnerability lies in third-party utility pnm2png which is not distributed with libpng and libpng12 packages in RHEL 5, 6 and 7.


Note You need to log in before you can comment on or make changes to this bug.