Closed
Bug 242915
Opened 21 years ago
Closed 21 years ago
PNG out-of-bounds read during error message processing
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
VERIFIED
FIXED
People
(Reporter: glennrp+bmo, Assigned: glennrp+bmo)
References
()
Details
(Keywords: fixed1.4.3, verified1.7, Whiteboard: [sg:dos])
Attachments
(1 file)
|
1.32 KB,
patch
|
tor
:
review+
tor
:
superreview+
caillon
:
approval1.4.3+
dveditz
:
approval1.7+
|
Details | Diff | Splinter Review |
A bug in pngerror.c has been discovered recently and reported to bugtraq and
various distro mailing lists. The PNG Group has developed and released a patch
for the bug. It is highly unlikely that the bug could actually be exploited.
|
Assignee | |
Comment 1•21 years ago
|
||
Here is a copy of the PNG group's patch. It uses strncpy() while some distro
vendors are providing a patch that uses strlen() followed by memcpy(). The PNG
group believes that the strncpy solution is more robust.
|
||
Updated•21 years ago
|
Flags: blocking1.7?
|
|
Assignee | |
Comment 2•21 years ago
|
||
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror
tor: r?
Attachment #147883 -
Flags: review?(tor)
|
|
Assignee | |
Updated•21 years ago
|
Status: NEW → ASSIGNED
|
||
Updated•21 years ago
|
Flags: blocking1.7? → blocking1.7+
Attachment #147883 -
Flags: superreview+
Attachment #147883 -
Flags: review?(tor)
Attachment #147883 -
Flags: review+
Attachment #147883 -
Flags: approval1.7?
|
||
Comment 4•21 years ago
|
||
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror
a=dveditz for 1.7
Attachment #147883 -
Flags: approval1.7? → approval1.7+
|
|
||
Updated•21 years ago
|
Group: security
|
|
||
Comment 5•21 years ago
|
||
Sorry for bug spam, setting and clearing security flag so it'll show up on the
right queries
Group: security
Whiteboard: [sg:dos]
In on trunk/branch - closing.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•20 years ago
|
||
References from CAN-2004-0421
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421):
DEBIAN:DSA-498
http://www.debian.org/security/2004/dsa-498
MANDRAKE:MDKSA-2004:040
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:040
REDHAT:RHSA-2004:180
http://www.redhat.com/support/errata/RHSA-2004-180.html
REDHAT:RHSA-2004:181
http://www.redhat.com/support/errata/RHSA-2004-181.html
BUGTRAQ:20040429 [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png)
http://marc.theaimsgroup.com/?l=bugtraq&m=108334922320309&w=2
TRUSTIX:2004-0025
http://marc.theaimsgroup.com/?l=bugtraq&m=108335030208523&w=2
FEDORA:FEDORA-2004-105
http://marc.theaimsgroup.com/?l=fedora-announce-list&m=108451350029261&w=2
FEDORA:FEDORA-2004-106
http://marc.theaimsgroup.com/?l=fedora-announce-list&m=108451353608968&w=2
libpng-png-dos(16022)
http://xforce.iss.net/xforce/xfdb/16022
|
|
||
Comment 9•20 years ago
|
||
Adding Jon Granrose to CC list to help round up QA resources for verification
|
||
Comment 10•20 years ago
|
||
adding tracy to verify on 1.7
|
||
Comment 11•20 years ago
|
||
Glenn, can you provide a test case or verify this is fixed in 1.7?
|
|
Assignee | |
Comment 12•20 years ago
|
||
There is no exploit, to my knowledge, nor any test case. I have just examined
the source code of a fresh checkout of Moz-1.7 and can verify that the bug has
been fixed. However, the trunk version of MOZCHANGES wasn't checked in to Moz-1.7.
|
|
||
Updated•20 years ago
|
Keywords: fixed1.7 → verified1.7
|
||
Updated•20 years ago
|
Attachment #147883 -
Flags: approval1.4.3?
|
|
||
Comment 14•20 years ago
|
||
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror
a=blizzard
Attachment #147883 -
Flags: approval1.4.3? → approval1.4.3+
|
|
||
Updated•20 years ago
|
Keywords: fixed1.4.3
You need to log in
before you can comment on or make changes to this bug.
Description
•