PNG out-of-bounds read during error message processing

VERIFIED FIXED

Status

()

VERIFIED FIXED
15 years ago
15 years ago

People

(Reporter: glennrp+bmo, Assigned: glennrp+bmo)

Tracking

({fixed1.4.3, verified1.7})

Trunk
fixed1.4.3, verified1.7
Points:
---
Bug Flags:
blocking1.7 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], URL)

Attachments

(1 attachment)

(Assignee)

Description

15 years ago
A bug in pngerror.c has been discovered recently and reported to bugtraq and
various distro mailing lists.  The PNG Group has developed and released a patch
for the bug.  It is highly unlikely that the bug could actually be exploited.
(Assignee)

Comment 1

15 years ago
Created attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

Here is a copy of the PNG group's patch.  It uses strncpy() while some distro
vendors are providing a patch that uses strlen() followed by memcpy().	The PNG
group believes that the strncpy solution is more robust.

Updated

15 years ago
Flags: blocking1.7?
(Assignee)

Comment 2

15 years ago
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

tor: r?
Attachment #147883 - Flags: review?(tor)
(Assignee)

Updated

15 years ago
Status: NEW → ASSIGNED

Updated

15 years ago
Flags: blocking1.7? → blocking1.7+

Updated

15 years ago
Attachment #147883 - Flags: superreview+
Attachment #147883 - Flags: review?(tor)
Attachment #147883 - Flags: review+

Comment 3

15 years ago
Checked in on trunk.

Updated

15 years ago
Attachment #147883 - Flags: approval1.7?
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

a=dveditz for 1.7
Attachment #147883 - Flags: approval1.7? → approval1.7+
Group: security
Sorry for bug spam, setting and clearing security flag so it'll show up on the
right queries
Group: security
Whiteboard: [sg:dos]
Checked in on 1.7 branch
Keywords: fixed1.7

Comment 7

15 years ago
In on trunk/branch - closing.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Adding Jon Granrose to CC list to help round up QA resources for verification

Comment 10

15 years ago
adding tracy to verify on 1.7
Glenn, can you provide a test case or verify this is fixed in 1.7?
(Assignee)

Comment 12

15 years ago
There is no exploit, to my knowledge, nor any test case.  I have just examined
the source code of a fresh checkout of Moz-1.7 and can verify that the bug has
been fixed.  However, the trunk version of MOZCHANGES wasn't checked in to Moz-1.7.
verified per reporters comments
Status: RESOLVED → VERIFIED
Keywords: fixed1.7 → verified1.7
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

a=blizzard
Attachment #147883 - Flags: approval1.4.3? → approval1.4.3+
You need to log in before you can comment on or make changes to this bug.