The default bug view has changed. See this FAQ.

PNG out-of-bounds read during error message processing

VERIFIED FIXED

Status

()

Core
ImageLib
VERIFIED FIXED
13 years ago
13 years ago

People

(Reporter: Glenn Randers-Pehrson, Assigned: Glenn Randers-Pehrson)

Tracking

({fixed1.4.3, verified1.7})

Trunk
fixed1.4.3, verified1.7
Points:
---
Bug Flags:
blocking1.7 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], URL)

Attachments

(1 attachment)

(Assignee)

Description

13 years ago
A bug in pngerror.c has been discovered recently and reported to bugtraq and
various distro mailing lists.  The PNG Group has developed and released a patch
for the bug.  It is highly unlikely that the bug could actually be exploited.
(Assignee)

Comment 1

13 years ago
Created attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

Here is a copy of the PNG group's patch.  It uses strncpy() while some distro
vendors are providing a patch that uses strlen() followed by memcpy().	The PNG
group believes that the strncpy solution is more robust.

Updated

13 years ago
Flags: blocking1.7?
(Assignee)

Comment 2

13 years ago
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

tor: r?
Attachment #147883 - Flags: review?(tor)
(Assignee)

Updated

13 years ago
Status: NEW → ASSIGNED

Updated

13 years ago
Flags: blocking1.7? → blocking1.7+

Updated

13 years ago
Attachment #147883 - Flags: superreview+
Attachment #147883 - Flags: review?(tor)
Attachment #147883 - Flags: review+

Comment 3

13 years ago
Checked in on trunk.

Updated

13 years ago
Attachment #147883 - Flags: approval1.7?
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

a=dveditz for 1.7
Attachment #147883 - Flags: approval1.7? → approval1.7+
Group: security
Sorry for bug spam, setting and clearing security flag so it'll show up on the
right queries
Group: security
Whiteboard: [sg:dos]
Checked in on 1.7 branch
Keywords: fixed1.7

Comment 7

13 years ago
In on trunk/branch - closing.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
References from CAN-2004-0421
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421):

DEBIAN:DSA-498
http://www.debian.org/security/2004/dsa-498

MANDRAKE:MDKSA-2004:040
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:040

REDHAT:RHSA-2004:180
http://www.redhat.com/support/errata/RHSA-2004-180.html

REDHAT:RHSA-2004:181
http://www.redhat.com/support/errata/RHSA-2004-181.html

BUGTRAQ:20040429 [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png)
http://marc.theaimsgroup.com/?l=bugtraq&m=108334922320309&w=2

TRUSTIX:2004-0025
http://marc.theaimsgroup.com/?l=bugtraq&m=108335030208523&w=2

FEDORA:FEDORA-2004-105
http://marc.theaimsgroup.com/?l=fedora-announce-list&m=108451350029261&w=2

FEDORA:FEDORA-2004-106
http://marc.theaimsgroup.com/?l=fedora-announce-list&m=108451353608968&w=2

libpng-png-dos(16022)
http://xforce.iss.net/xforce/xfdb/16022
Adding Jon Granrose to CC list to help round up QA resources for verification

Comment 10

13 years ago
adding tracy to verify on 1.7
Glenn, can you provide a test case or verify this is fixed in 1.7?
(Assignee)

Comment 12

13 years ago
There is no exploit, to my knowledge, nor any test case.  I have just examined
the source code of a fresh checkout of Moz-1.7 and can verify that the bug has
been fixed.  However, the trunk version of MOZCHANGES wasn't checked in to Moz-1.7.
verified per reporters comments
Status: RESOLVED → VERIFIED

Updated

13 years ago
Keywords: fixed1.7 → verified1.7
Attachment #147883 - Flags: approval1.4.3?
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

a=blizzard
Attachment #147883 - Flags: approval1.4.3? → approval1.4.3+
Keywords: fixed1.4.3
You need to log in before you can comment on or make changes to this bug.