https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Bug ID: 1086514 Summary: CVE-2013-7353 Integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks() Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: huzaifas@redhat.com CC: drizt@land.ru, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, jkoncick@redhat.com, jkurik@redhat.com, ktietz@redhat.com, lfarkas@lfarkas.org, pfrields@redhat.com, phracek@redhat.com, rjones@redhat.com
An integer overflow leading to a heap-based buffer overflow was found in the png_set_unknown_chunks() API function of libpng. A attacker could create a specially-crafated image file and render it with an application written to explicitly call png_set_unknown_chunks() function, could cause libpng to crash or execute arbitrary code with the permissions of the user running such an application.
The vendor mentions that internal calls use safe values. These issues could potentially affect applications that use the libpng API. Apparently no such applications were identified.
Reference:
http://sourceforge.net/p/libpng/bugs/199/ http://seclists.org/oss-sec/2014/q2/83
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1086521
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2013-7353 Integer |CVE-2013-7353 libpng: |overflow leading to a |integer overflow leading to |heap-based buffer overflow |a heap-based buffer |in png_set_unknown_chunks() |overflow in | |png_set_unknown_chunks()
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
--- Comment #1 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- This issue was addressed by the following upstream commit:
http://sourceforge.net/p/libpng/code/ci/9dd2bfafe50de0e3204be81a90303760d26a...
and was later enhanced by the following commit:
http://sourceforge.net/p/libpng/code/ci/2414bd99d8c76f92ca9272f1b1b1eff55709...
Upstream released libpng-1.6.0 and libpng-1.5.14 to address this issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
--- Comment #2 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- In libpng-1.5.14 the following commits were used by upstream to address this flaw:
http://sourceforge.net/p/libpng/code/ci/1a3d6e3cf3082a0da998dbf402d384a58948... http://sourceforge.net/p/libpng/code/ci/77a817bfc298a221e3e623acf73c2a1e726c... http://sourceforge.net/p/libpng/code/ci/bec9ca9b8aa0cf16d2cde1757379afbe9adb...
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |0411,reported=20140411,sour |0411,reported=20140411,sour |ce=internet,cvss2=5.1/AV:N/ |ce=internet,cvss2=5.1/AV:N/ |AC:H/Au:N/C:P/I:P/A:P,rhel- |AC:H/Au:N/C:P/I:P/A:P,rhel- |5/libpng=new,rhel-6/libpng= |5/libpng=affected,rhel-6/li |new,rhel-7/libpng=new,rhel- |bpng=affected,rhel-7/libpng |7/libpng12=new,fedora-all/l |=affected,rhel-7/libpng12=a |ibpng=affected,fedora-all/m |ffected,fedora-19/libpng=af |ingw-libpng=new |fected,fedora-20/libpng=not | |affected,fedora-all/libpng1 | |0=affected,fedora-all/libpn | |g12=affected,fedora-20/libp | |ng15=affected,fedora-19/min | |gw-libpng=affected,fedora-2 | |0/mingw-libpng=notaffected, | |epel-5/mingw32-libpng=affec | |ted,epel-6/libpng10=affecte | |d,epel-6/mingw32-libpng=aff | |ected
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1086669 Depends On| |1086670 Depends On| |1086671 Depends On| |1086672 Depends On| |1086673 Depends On| |1086674
--- Comment #3 from Huzaifa S. Sidhpurwala huzaifas@redhat.com ---
Created libpng tracking bugs for this issue:
Affects: fedora-19 [bug 1086669]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1086669 [Bug 1086669] CVE-2013-7353 libpng: integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks() [fedora-19] https://bugzilla.redhat.com/show_bug.cgi?id=1086670 [Bug 1086670] CVE-2013-7353 libpng15: libpng: integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks() [fedora-20] https://bugzilla.redhat.com/show_bug.cgi?id=1086671 [Bug 1086671] CVE-2013-7353 mingw-libpng: libpng: integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks() [fedora-19] https://bugzilla.redhat.com/show_bug.cgi?id=1086672 [Bug 1086672] CVE-2013-7353 mingw32-libpng: libpng: integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks() [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1086673 [Bug 1086673] CVE-2013-7353 libpng10: libpng: integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks() [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1086674 [Bug 1086674] CVE-2013-7353 mingw32-libpng: libpng: integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks() [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
--- Comment #4 from Huzaifa S. Sidhpurwala huzaifas@redhat.com ---
Created libpng10 tracking bugs for this issue:
Affects: epel-6 [bug 1086673]
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
--- Comment #5 from Huzaifa S. Sidhpurwala huzaifas@redhat.com ---
Created libpng15 tracking bugs for this issue:
Affects: fedora-20 [bug 1086670]
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
--- Comment #6 from Huzaifa S. Sidhpurwala huzaifas@redhat.com ---
Created mingw-libpng tracking bugs for this issue:
Affects: fedora-19 [bug 1086671]
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
--- Comment #7 from Huzaifa S. Sidhpurwala huzaifas@redhat.com ---
Created mingw32-libpng tracking bugs for this issue:
Affects: epel-5 [bug 1086672] Affects: epel-6 [bug 1086674]
https://bugzilla.redhat.com/show_bug.cgi?id=1086514 Bug 1086514 depends on bug 1086673, which changed state.
Bug 1086673 Summary: CVE-2013-7353 CVE-2013-7354 libpng10: various flaws [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1086673
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |0411,reported=20140411,sour |0411,reported=20140411,sour |ce=internet,cvss2=5.1/AV:N/ |ce=internet,cvss2=5.1/AV:N/ |AC:H/Au:N/C:P/I:P/A:P,rhel- |AC:H/Au:N/C:P/I:P/A:P,rhel- |5/libpng=affected,rhel-6/li |5/libpng=notaffected,rhel-6 |bpng=affected,rhel-7/libpng |/libpng=notaffected,rhel-7/ |=affected,rhel-7/libpng12=a |libpng=affected,rhel-7/libp |ffected,fedora-19/libpng=af |ng12=notaffected,fedora-19/ |fected,fedora-20/libpng=not |libpng=affected,fedora-20/l |affected,fedora-all/libpng1 |ibpng=notaffected,fedora-al |0=affected,fedora-all/libpn |l/libpng10=notaffected,fedo |g12=affected,fedora-20/libp |ra-all/libpng12=notaffected |ng15=affected,fedora-19/min |,fedora-20/libpng15=affecte |gw-libpng=affected,fedora-2 |d,fedora-19/mingw-libpng=af |0/mingw-libpng=notaffected, |fected,fedora-20/mingw-libp |epel-5/mingw32-libpng=affec |ng=notaffected,epel-5/mingw |ted,epel-6/libpng10=affecte |32-libpng=notaffected,epel- |d,epel-6/mingw32-libpng=aff |6/libpng10=notaffected,epel |ected |-6/mingw32-libpng=notaffect | |ed
https://bugzilla.redhat.com/show_bug.cgi?id=1086514 Bug 1086514 depends on bug 1086672, which changed state.
Bug 1086672 Summary: CVE-2013-7353 CVE-2013-7354 mingw32-libpng: various flaws [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1086672
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1086514 Bug 1086514 depends on bug 1086674, which changed state.
Bug 1086674 Summary: CVE-2013-7353 CVE-2013-7354 mingw32-libpng: various flaws [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1086674
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
--- Comment #8 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Statement:
Not vulnerable. This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 5 and 6.
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |0411,reported=20140411,sour |0411,reported=20140411,sour |ce=internet,cvss2=5.1/AV:N/ |ce=internet,cvss2=5.1/AV:N/ |AC:H/Au:N/C:P/I:P/A:P,rhel- |AC:H/Au:N/C:P/I:P/A:P,rhel- |5/libpng=notaffected,rhel-6 |5/libpng=notaffected,rhel-6 |/libpng=notaffected,rhel-7/ |/libpng=notaffected,rhel-7/ |libpng=affected,rhel-7/libp |libpng=defer,rhel-7/libpng1 |ng12=notaffected,fedora-19/ |2=notaffected,fedora-19/lib |libpng=affected,fedora-20/l |png=affected,fedora-20/libp |ibpng=notaffected,fedora-al |ng=notaffected,fedora-all/l |l/libpng10=notaffected,fedo |ibpng10=notaffected,fedora- |ra-all/libpng12=notaffected |all/libpng12=notaffected,fe |,fedora-20/libpng15=affecte |dora-20/libpng15=affected,f |d,fedora-19/mingw-libpng=af |edora-19/mingw-libpng=affec |fected,fedora-20/mingw-libp |ted,fedora-20/mingw-libpng= |ng=notaffected,epel-5/mingw |notaffected,epel-5/mingw32- |32-libpng=notaffected,epel- |libpng=notaffected,epel-6/l |6/libpng10=notaffected,epel |ibpng10=notaffected,epel-6/ |-6/mingw32-libpng=notaffect |mingw32-libpng=notaffected |ed |
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG Last Closed| |2014-04-21 05:03:58
https://bugzilla.redhat.com/show_bug.cgi?id=1086514 Bug 1086514 depends on bug 1086671, which changed state.
Bug 1086671 Summary: CVE-2013-7353 CVE-2013-7354 mingw-libpng: various flaws [fedora-19] https://bugzilla.redhat.com/show_bug.cgi?id=1086671
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1086514 Bug 1086514 depends on bug 1086670, which changed state.
Bug 1086670 Summary: CVE-2013-7353 CVE-2013-7354 libpng15: various flaws [fedora-20] https://bugzilla.redhat.com/show_bug.cgi?id=1086670
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1086514 Bug 1086514 depends on bug 1086669, which changed state.
Bug 1086669 Summary: CVE-2013-7353 CVE-2013-7354 libpng: various flaws [fedora-19] https://bugzilla.redhat.com/show_bug.cgi?id=1086669
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1086514
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |0411,reported=20140411,sour |0411,reported=20140411,sour |ce=internet,cvss2=5.1/AV:N/ |ce=internet,cvss2=5.1/AV:N/ |AC:H/Au:N/C:P/I:P/A:P,rhel- |AC:H/Au:N/C:P/I:P/A:P,rhel- |5/libpng=notaffected,rhel-6 |5/libpng=notaffected,rhel-6 |/libpng=notaffected,rhel-7/ |/libpng=notaffected,rhel-7/ |libpng=defer,rhel-7/libpng1 |libpng=defer,rhel-7/libpng1 |2=notaffected,fedora-19/lib |2=notaffected,fedora-19/lib |png=affected,fedora-20/libp |png=affected,fedora-20/libp |ng=notaffected,fedora-all/l |ng=notaffected,fedora-all/l |ibpng10=notaffected,fedora- |ibpng10=notaffected,fedora- |all/libpng12=notaffected,fe |all/libpng12=notaffected,fe |dora-20/libpng15=affected,f |dora-20/libpng15=affected,f |edora-19/mingw-libpng=affec |edora-19/mingw-libpng=affec |ted,fedora-20/mingw-libpng= |ted,fedora-20/mingw-libpng= |notaffected,epel-5/mingw32- |notaffected,epel-5/mingw32- |libpng=notaffected,epel-6/l |libpng=notaffected,epel-6/l |ibpng10=notaffected,epel-6/ |ibpng10=notaffected,epel-6/ |mingw32-libpng=notaffected |mingw32-libpng=notaffected, | |cwe=CWE-190->CWE-122[auto]