[Bug 1086516] New: CVE-2013-7354 Integer overflow leading to a heap-based buffer overflow in png_set_sPLT() and png_set_text_2()

Fri Apr 11 04:00:28 UTC 2014

https://bugzilla.redhat.com/show_bug.cgi?id=1086516

            Bug ID: 1086516
           Summary: CVE-2013-7354 Integer overflow leading to a heap-based
                    buffer overflow in png_set_sPLT() and png_set_text_2()
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team at redhat.com
          Reporter: huzaifas at redhat.com
                CC: drizt at land.ru, erik-fedora at vanpienbroek.nl,
                    fedora-mingw at lists.fedoraproject.org,
                    jkoncick at redhat.com, jkurik at redhat.com,
                    ktietz at redhat.com, lfarkas at lfarkas.org,
                    pfrields at redhat.com, phracek at redhat.com,
                    rjones at redhat.com

An integer overflow leading to a heap-based buffer overflow was found in the
png_set_sPLT() and png_set_text_2() API functions of libpng. A attacker could
create a specially-crafated image file and render it with an application
written to explicitly call png_set_sPLT() or png_set_text_2() function, could
cause libpng to crash or execute arbitrary code with the permissions of the
user running such an application.

The vendor mentions that internal calls use safe values. These issues could
potentially affect applications that use the libpng API. Apparently no such
applications were identified.

Reference:

http://sourceforge.net/p/libpng/bugs/199/
http://seclists.org/oss-sec/2014/q2/83

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=lqm7CkaJep&a=cc_unsubscribe