'libpng' Portable Network Graphics Library Buffer Overflow Lets Remote Users Crash Affected Applications
|
|
SecurityTracker Alert ID: 1004916 |
|
SecurityTracker URL: http://securitytracker.com/id/1004916
|
|
CVE Reference:
CAN-2002-0660, CAN-2002-0728
(Links to External Site)
|
Date: Jul 31 2002
|
Impact:
Denial of service via local system, Denial of service via network, Execution of arbitrary code via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Prior to 1.2.4 and prior to 1.0.14
|
Description:
A buffer overflow vulnerability was reported in 'libpng'. A remote user may be able to create a specially crafted Portable Network Graphics (PNG) image file to cause an affected application to crash.
It is reported that the progressive reader code contains a buffer overflow that can be triggered by a malicious PNG image file that contains more IDAT data than indicated by the IHDR chunk. According to the report, applications that use libpng may crash when loading a malicious file.
If the X size is greater than 2^32 divided by the number_bytes_needed_per_pixel then the number of bytes required for a row becomes greater than 2^32 and overflows.In a variation, a much larger IDAT chunk than the data size will also cause corruption.
It is reported that it is theoretically possible to execute arbitrary code using this buffer overflow, but exploitation may be non-trivial.
Additional details are available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=155222
|
Impact:
A remote user can create a PNG image file that will cause the affected application to crash when loading the file.
|
Solution:
The vendor has released fixed versions (libpng-1.2.4 and libpng-1.0.14), available at:
http://libpng.sf.net
ftp://swrinde.nde.swri.edu/pub/png/src/
|
Vendor URL: www.libpng.org/pub/png/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 18 Jul 2002 03:27:49 -0400
Subject: [png-list] libpng-1.2.4 and libpng-1.0.14
|
Date: Mon, 08 Jul 2002 07:55:15 -0400
From: Glenn Randers-Pehrson <glennrp@comcast.net>
Subject: [png-list] libpng-1.2.4 and libpng-1.0.14
X-Sender: glennrp@mail.comcast.net
To: png-implement@ccrc.wustl.edu
Cc: png-announce@ccrc.wustl.edu, png-list@ccrc.wustl.edu
Message-id: <3.0.6.32.20020708075515.00f4dbf0@mail.comcast.net>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Sender: owner-png-list@ccrc.wustl.edu
Precedence: bulk
Reply-To: png-list@ccrc.wustl.edu
[replies to png-implement, please]
Libpng-1.2.4 and libpng-1.0.14 are available at
http://libpng.sf.net and at
ftp://swrinde.nde.swri.edu/pub/png/src/
This version plugs some memory leaks and eliminates a vulnerability
to buffer overflow in the progressive reader when the PNG datastream
contains more IDAT data than indicated by the IHDR chunk. Such
deliberately
malformed datastreams would crash applications such as Mozilla that use
the progressive reading feature.
This version also does a better job of abandoning just an ancillary
chunk instead of the entire datastream when the application runs out
of memory while reading an ancillary chunk.
The makefiles that install shared libraries have added a
"test-installed"
target that builds and runs a test program with the installed library.
You only need libpng-1.0.14 if you have applications on your system that
were linked with a previous libpng-1.0.x shared library and you want to
continue supporting them rather than relinking them.
Glenn
--
Send the message body "help" to png-list-request@ccrc.wustl.edu
|
|
