[Bug 504782] libpng: Interlaced Images Information Disclosure Vulnerability
bugzilla at redhat.com
bugzilla at redhat.com
Tue Jun 9 12:43:03 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Tomas Hoger <thoger at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
External Bug ID| |Gentoo 272970
--- Comment #1 from Tomas Hoger <thoger at redhat.com> 2009-06-09 08:43:02 EDT ---
Upstream page - http://www.libpng.org/pub/png/libpng.html - contains a rather
confusing vulnerability warning:
Vulnerability Warning
Jeff Phillips reported that several versions of libpng through 1.2.35
contain an uninitialized-memory-read bug that may have security
implications. Specifically, 1-bit (2-color) interlaced images whose
widths are not divisible by 8 may result in several uninitialized bits
at the end of certain rows in certain interlace passes being returned
to the user. An application that failed to mask these out-of-bounds
pixels might display or process them, albeit presumably with benign
results in most cases. This bug may be fixed in version 1.2.36,
released 7 May 2009, but the correct fix is in version 1.2.37,
released 4 June 2009.
Going though 1.2.35 -> 1.2.36 and 1.2.36 -> 1.2.37 diffs, this probably refers
to the following changes:
Changes in 1.2.36:
+version 1.2.36beta02 [March 21, 2009]
+ Use png_memset() after png_malloc() of big_row_buf when reading an
+ interlaced file, to avoid a possible UMR.
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=85f7d0a8d5f45176d8f200e59b0d3002ff0f445d#patch26
Changes in 1.2.37:
+version 1.2.37beta01 [May 12, 2009]
+ Fixed inconsistency in pngrutil.c, introduced in libpng-1.2.36. The
+ memset() was using "png_ptr->rowbytes" instead of "row_bytes", which
+ the corresponding png_malloc() uses (Joe Drew).
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=549a5101e7d59bec9af1a4d90afe714ceff5c5dd
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the mingw
mailing list