Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216706
Summary: CVE-2006-5793 libpng, libpng10 DoS
Product: Fedora Core
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: libpng
AssignedTo: tgl(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
CC: fedora-security-list@redhat.com,mclasen(a)redhat.com
+++ This bug was initially created as a clone of Bug #215405 +++
Tavis Ormandy told vendor-sec about a OOB memory read flaw in libpng. This flaw
is a denial of service flaw.
quoting the mail from Tavis:
Hello, there's a typo in the sPLT chunk handling code in libpng,
potentially resulting in an OOB read. AFAICT, the extent of the
vulnerability is denial of service, but would appreciate a second pair
of eyes to verify.
Around line ~983 of pngset.c, in png_set_sPLT()
to->entries =3D (png_sPLT_entryp)png_malloc(png_ptr,=20
from->nentries * png_sizeof(png_sPLT_t));
should be `png_sizeof(png_sPLT_entry)`
and the same on this line:
png_memcpy(to->entries, from->entries,
from->nentries * png_sizeof(png_sPLT_t));
This issue also affects RHEL2.1 and RHEL3
-- Additional comment from bressers(a)redhat.com on 2006-11-14 16:28 EST --
This issue is now public:
http://bugs.gentoo.org/show_bug.cgi?id=154380
---
Possibly affected: libpng in FC5, FC6, and devel, and libpng10 in FC5.
(libpng10 in Extras has been updated, see bug 216263)
--
Configure bugmail:
https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.