[Bug 504782] libpng: Interlaced Images Information Disclosure Vulnerability

bugzilla at redhat.com bugzilla at redhat.com
Tue Jun 9 12:43:03 UTC 2009 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=504782


Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
    External Bug ID|                            |Gentoo 272970




--- Comment #1 from Tomas Hoger <thoger at redhat.com>  2009-06-09 08:43:02 EDT ---
Upstream page - http://www.libpng.org/pub/png/libpng.html - contains a rather
confusing vulnerability warning:

  Vulnerability Warning

  Jeff Phillips reported that several versions of libpng through 1.2.35
  contain an uninitialized-memory-read bug that may have security
  implications. Specifically, 1-bit (2-color) interlaced images whose
  widths are not divisible by 8 may result in several uninitialized bits
  at the end of certain rows in certain interlace passes being returned
  to the user. An application that failed to mask these out-of-bounds
  pixels might display or process them, albeit presumably with benign
  results in most cases. This bug may be fixed in version 1.2.36,
  released 7 May 2009, but the correct fix is in version 1.2.37,
  released 4 June 2009. 

Going though 1.2.35 -> 1.2.36 and 1.2.36 -> 1.2.37 diffs, this probably refers
to the following changes:


Changes in 1.2.36:
  +version 1.2.36beta02 [March 21, 2009]
  +  Use png_memset() after png_malloc() of big_row_buf when reading an
  +    interlaced file, to avoid a possible UMR.

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=85f7d0a8d5f45176d8f200e59b0d3002ff0f445d#patch26


Changes in 1.2.37:
  +version 1.2.37beta01 [May 12, 2009]
  +  Fixed inconsistency in pngrutil.c, introduced in libpng-1.2.36.  The
  +    memset() was using "png_ptr->rowbytes" instead of "row_bytes", which
  +    the corresponding png_malloc() uses (Joe Drew).

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=549a5101e7d59bec9af1a4d90afe714ceff5c5dd

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the mingw mailing list