SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   libpng Vendors:   libpng.sourceforge.net
'libpng' Portable Network Graphics Library Buffer Overflow Lets Remote Users Crash Affected Applications
SecurityTracker Alert ID:  1004916
SecurityTracker URL:  http://securitytracker.com/id/1004916
CVE Reference:   CAN-2002-0660, CAN-2002-0728   (Links to External Site)
Date:  Jul 31 2002
Impact:   Denial of service via local system, Denial of service via network, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Prior to 1.2.4 and prior to 1.0.14
Description:   A buffer overflow vulnerability was reported in 'libpng'. A remote user may be able to create a specially crafted Portable Network Graphics (PNG) image file to cause an affected application to crash.

It is reported that the progressive reader code contains a buffer overflow that can be triggered by a malicious PNG image file that contains more IDAT data than indicated by the IHDR chunk. According to the report, applications that use libpng may crash when loading a malicious file.

If the X size is greater than 2^32 divided by the number_bytes_needed_per_pixel then the number of bytes required for a row becomes greater than 2^32 and overflows.In a variation, a much larger IDAT chunk than the data size will also cause corruption.

It is reported that it is theoretically possible to execute arbitrary code using this buffer overflow, but exploitation may be non-trivial.

Additional details are available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=155222

Impact:   A remote user can create a PNG image file that will cause the affected application to crash when loading the file.
Solution:   The vendor has released fixed versions (libpng-1.2.4 and libpng-1.0.14), available at:

http://libpng.sf.net
ftp://swrinde.nde.swri.edu/pub/png/src/

Vendor URL:  www.libpng.org/pub/png/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) 'libpng' Portable Network Graphics Library Buffer Overflow Lets Remote Users Crash Affected Applications   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.
(Debian Issues Fix) 'libpng' Portable Network Graphics Library Buffer Overflow Lets Remote Users Crash Affected Applications   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.
(Mandrake Issues Fix) 'libpng' Portable Network Graphics Library Buffer Overflow Lets Remote Users Crash Affected Applications   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
(Red Hat Issues Fix) 'libpng' Portable Network Graphics Library Buffer Overflow Lets Remote Users Crash Affected Applications   (bugzilla@redhat.com)
Red Hat has released a fix.



 Source Message Contents

Date:  Thu, 18 Jul 2002 03:27:49 -0400
Subject:  [png-list] libpng-1.2.4 and libpng-1.0.14


Date: Mon, 08 Jul 2002 07:55:15 -0400
From: Glenn Randers-Pehrson <glennrp@comcast.net>
Subject: [png-list] libpng-1.2.4 and libpng-1.0.14
X-Sender: glennrp@mail.comcast.net
To: png-implement@ccrc.wustl.edu
Cc: png-announce@ccrc.wustl.edu, png-list@ccrc.wustl.edu
Message-id: <3.0.6.32.20020708075515.00f4dbf0@mail.comcast.net>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Sender: owner-png-list@ccrc.wustl.edu
Precedence: bulk
Reply-To: png-list@ccrc.wustl.edu


[replies to png-implement, please]

Libpng-1.2.4 and libpng-1.0.14 are available at
http://libpng.sf.net and at
ftp://swrinde.nde.swri.edu/pub/png/src/

This version plugs some memory leaks and eliminates a vulnerability
to buffer overflow in the progressive reader when the PNG datastream
contains more IDAT data than indicated by the IHDR chunk.  Such
deliberately
malformed datastreams would crash applications such as Mozilla that use
the progressive reading feature.

This version also does a better job of abandoning just an ancillary
chunk instead of the entire datastream when the application runs out
of memory while reading an ancillary chunk.

The makefiles that install shared libraries have added a
"test-installed"
target that builds and runs a test program with the installed library.

You only need libpng-1.0.14 if you have applications on your system that
were linked with a previous libpng-1.0.x shared library and you want to
continue supporting them rather than relinking them.

Glenn

--
Send the message body "help" to png-list-request@ccrc.wustl.edu


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC