Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: libpng: Interlaced Images Information Disclosure Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Summary: libpng: Interlaced Images Information Disclosure Vulnerability Product: Security Response Version: unspecified Platform: All OS/Version: Linux Status: NEW Status Whiteboard: source=gentoo,reported=20090606,public=20090604,impact =low? Keywords: Security Severity: medium Priority: medium Component: vulnerability AssignedTo: security-response-team@redhat.com ReportedBy: thoger@redhat.com CC: paul@city-fan.org, lfarkas@lfarkas.org, tgl@redhat.com, berrange@redhat.com, rjones@redhat.com, fedora-mingw@lists.fedoraproject.org Classification: Other Target Release: ---
Quoting Secunia advisory SA35346:
http://secunia.com/advisories/35346/
A vulnerability has been reported in libpng, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error when processing 1-bit interlaced images. This can be exploited to disclose uninitialised memory via specially crafted images having widths that are not divisible by 8.
The vulnerability is reported in versions prior to 1.2.37.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Gentoo 272970
--- Comment #1 from Tomas Hoger thoger@redhat.com 2009-06-09 08:43:02 EDT --- Upstream page - http://www.libpng.org/pub/png/libpng.html - contains a rather confusing vulnerability warning:
Vulnerability Warning
Jeff Phillips reported that several versions of libpng through 1.2.35 contain an uninitialized-memory-read bug that may have security implications. Specifically, 1-bit (2-color) interlaced images whose widths are not divisible by 8 may result in several uninitialized bits at the end of certain rows in certain interlace passes being returned to the user. An application that failed to mask these out-of-bounds pixels might display or process them, albeit presumably with benign results in most cases. This bug may be fixed in version 1.2.36, released 7 May 2009, but the correct fix is in version 1.2.37, released 4 June 2009.
Going though 1.2.35 -> 1.2.36 and 1.2.36 -> 1.2.37 diffs, this probably refers to the following changes:
Changes in 1.2.36: +version 1.2.36beta02 [March 21, 2009] + Use png_memset() after png_malloc() of big_row_buf when reading an + interlaced file, to avoid a possible UMR.
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=85f...
Changes in 1.2.37: +version 1.2.37beta01 [May 12, 2009] + Fixed inconsistency in pngrutil.c, introduced in libpng-1.2.36. The + memset() was using "png_ptr->rowbytes" instead of "row_bytes", which + the corresponding png_malloc() uses (Joe Drew).
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=549...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #2 from Tomas Hoger thoger@redhat.com 2009-06-09 08:48:07 EDT --- Created an attachment (id=347014) --> (https://bugzilla.redhat.com/attachment.cgi?id=347014) 1.2.36 change
Local copy of: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=85f...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #3 from Tomas Hoger thoger@redhat.com 2009-06-09 08:48:51 EDT --- Created an attachment (id=347015) --> (https://bugzilla.redhat.com/attachment.cgi?id=347015) 1.2.37 change
Local copy of: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng;a=commitdiff;h=549...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #4 from Fedora Update System updates@fedoraproject.org 2009-06-09 09:00:20 EDT --- mingw32-libpng-1.2.37-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-1.fc10
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #5 from Fedora Update System updates@fedoraproject.org 2009-06-09 09:00:25 EDT --- mingw32-libpng-1.2.37-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-1.fc11
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #6 from Richard W.M. Jones rjones@redhat.com 2009-06-09 09:00:50 EDT --- mingw32-libpng packages all done.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #7 from Tom Lane tgl@redhat.com 2009-06-09 09:42:38 EDT --- Calling this a security issue seems like a bit of a stretch. You can only read portions of individual bytes, you can't control very well which bytes those are, and the whole thing depends on the application's display code being seriously buggy (i.e. showing garbage pixels on the right side of an image).
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #8 from Tomas Hoger thoger@redhat.com 2009-06-09 12:14:26 EDT --- (In reply to comment #7)
Calling this a security issue seems like a bit of a stretch.
Yeah, that was reaction too, when seeing upstream announcement.
You can only read portions of individual bytes, you can't control very well which bytes those are, and the whole thing depends on the application's display code being seriously buggy (i.e. showing garbage pixels on the right side of an image).
I believe applications displaying images using libpng were not really assumed attack vector, as those can only show those leaked bytes to the user running application, so that case is non-issue. I guess they may have assumed some automated image processing (such as image conversion using ImageMagick's convert, or CUPS printing) as a vector, though even without checking if any such application can return leaked bytes in some output attacker can see and use, the leak seem rather limited, not easily predictable and not too likely to yield any valuable data.
Have you already looked into what application must do wrong to process those garbage pixels at all?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #9 from Tom Lane tgl@redhat.com 2009-06-09 12:52:46 EDT --- Well, it would have to have a bug that causes it to process whole bytes (groups of 8 pixels) without regard to the declared image width. That seems unlikely to escape notice for long so far as "display" actions go. I suppose the most plausible route for an information leak is if the bytes get shoved directly into some other image file (either an output PNG or some other format with similar representational details), and then the attacker manages to get access to that file. I think we've previously decided that bugs in PNG-writing applications aren't really grounds for security responses, and this would effectively be in that category.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |vdanen@redhat.com Summary|libpng: Interlaced Images |CVE-2009-2042 libpng: |Information Disclosure |Interlaced Images |Vulnerability |Information Disclosure | |Vulnerability Alias| |CVE-2009-2042
--- Comment #10 from Vincent Danen vdanen@redhat.com 2009-06-12 16:43:18 EDT --- Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2042 to the following vulnerability:
Name: CVE-2009-2042 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042 Assigned: 20090612 Reference: CONFIRM: http://www.libpng.org/pub/png/libpng.html Reference: BID:35233 Reference: URL: http://www.securityfocus.com/bid/35233 Reference: SECUNIA:35346 Reference: URL: http://secunia.com/advisories/35346 Reference: VUPEN:ADV-2009-1510 Reference: URL: http://www.vupen.com/english/advisories/2009/1510 Reference: XF:libpng-interlaced-image-info-disclosure(50966) Reference: URL: http://xforce.iss.net/xforce/xfdb/50966
libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #11 from Fedora Update System updates@fedoraproject.org 2009-06-13 13:56:35 EDT --- libpng-1.2.37-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libpng-1.2.37-1.fc10
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #12 from Fedora Update System updates@fedoraproject.org 2009-06-13 13:56:40 EDT --- libpng-1.2.37-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/libpng-1.2.37-1.fc9
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #13 from Fedora Update System updates@fedoraproject.org 2009-06-13 13:56:45 EDT --- libpng-1.2.37-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libpng-1.2.37-1.fc11
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #14 from Fedora Update System updates@fedoraproject.org 2009-06-15 21:20:53 EDT --- mingw32-libpng-1.2.37-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #15 from Fedora Update System updates@fedoraproject.org 2009-06-15 22:29:28 EDT --- mingw32-libpng-1.2.37-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #16 from Fedora Update System updates@fedoraproject.org 2009-06-18 07:38:15 EDT --- libpng-1.2.37-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #17 from Fedora Update System updates@fedoraproject.org 2009-06-18 07:40:50 EDT --- libpng-1.2.37-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
--- Comment #18 from Fedora Update System updates@fedoraproject.org 2009-06-18 07:50:17 EDT --- libpng-1.2.37-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|source=gentoo,reported=2009 |source=gentoo,reported=2009 |0606,public=20090604,impact |0606,public=20090604,impact |=low? |=low,cvss2=2.6/AV:N/AC:H/Au | |:N/C:P/I:N/A:N
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Jan Lieskovsky jlieskov@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low CC| |jlieskov@redhat.com Status Whiteboard|source=gentoo,reported=2009 |public=20090604,reported=20 |0606,public=20090604,impact |090606,source=gentoo,rhel-3 |=low,cvss2=2.6/AV:N/AC:H/Au |/libpng=affected/impact=low |:N/C:P/I:N/A:N |/cvss2=2.6/AV:N/AC:H/Au:N/C | |:P/I:N/A:N,rhel-4/libpng=af | |fected/impact=low/cvss2=2.6 | |/AV:N/AC:H/Au:N/C:P/I:N/A:N Status Whiteboard| |rhel-5/libpng=affected/impa | |ct=low/cvss2=2.6/AV:N/AC:H/ | |Au:N/C:P/I:N/A:N,rhel-6/lib | |png=fixed,fedora-all/libpng | |=fixed,rhel-3/libpng10=affe | |cted/impact=low/cvss2=2.6/A | |V:N/AC:H/Au:N/C:P/I:N/A:N Status Whiteboard| |rhel-4/libpng10=affected/im | |pact=low/cvss2=2.6/AV:N/AC: | |H/Au:N/C:P/I:N/A:N,fedora-a | |ll/libpng10=affected/impact | |=low/cvss2=2.6/AV:N/AC:H/Au | |:N/C:P/I:N/A:N Severity|medium |low
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=504782
Josh Bressers (Security Response Team) bressers@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bressers@redhat.com Status Whiteboard|public=20090604,reported=20 |public=20090604,reported=20 |090606,source=gentoo,rhel-3 |090606,source=gentoo,rhel-3 |/libpng=affected/impact=low |/libpng=affected/impact=low |/cvss2=2.6/AV:N/AC:H/Au:N/C |/cvss2=2.6/AV:N/AC:H/Au:N/C |:P/I:N/A:N,rhel-4/libpng=af |:P/I:N/A:N,rhel-4/libpng=af |fected/impact=low/cvss2=2.6 |fected/impact=low/cvss2=2.6 |/AV:N/AC:H/Au:N/C:P/I:N/A:N |/AV:N/AC:H/Au:N/C:P/I:N/A:N Status Whiteboard|rhel-5/libpng=affected/impa |rhel-5/libpng=affected/impa |ct=low/cvss2=2.6/AV:N/AC:H/ |ct=low/cvss2=2.6/AV:N/AC:H/ |Au:N/C:P/I:N/A:N,rhel-6/lib |Au:N/C:P/I:N/A:N,rhel-6/lib |png=fixed,fedora-all/libpng |png=affected,fedora-all/lib |=fixed,rhel-3/libpng10=affe |png=affected,rhel-3/libpng1 |cted/impact=low/cvss2=2.6/A |0=affected/impact=low/cvss2 |V:N/AC:H/Au:N/C:P/I:N/A:N |=2.6/AV:N/AC:H/Au:N/C:P/I:N | |/A:N Status Whiteboard|rhel-4/libpng10=affected/im |rhel-4/libpng10=affected/im |pact=low/cvss2=2.6/AV:N/AC: |pact=low/cvss2=2.6/AV:N/AC: |H/Au:N/C:P/I:N/A:N,fedora-a |H/Au:N/C:P/I:N/A:N,fedora-a |ll/libpng10=affected/impact |ll/libpng10=affected/impact |=low/cvss2=2.6/AV:N/AC:H/Au |=low/cvss2=2.6/AV:N/AC:H/Au |:N/C:P/I:N/A:N |:N/C:P/I:N/A:N