A bug in pngerror.c has been discovered recently and reported to bugtraq and various distro mailing lists. The PNG Group has developed and released a patch for the bug. It is highly unlikely that the bug could actually be exploited.
Here is a copy of the PNG group's patch. It uses strncpy() while some distro vendors are providing a patch that uses strlen() followed by memcpy(). The PNG group believes that the strncpy solution is more robust.
Comment on attachment 147883 [details] [diff] [review] patch for PNG read-out-of-bounds bug in pngerror tor: r?
Checked in on trunk.
Comment on attachment 147883 [details] [diff] [review] patch for PNG read-out-of-bounds bug in pngerror a=dveditz for 1.7
Attachment #147883 - Flags: approval1.7? → approval1.7+
Sorry for bug spam, setting and clearing security flag so it'll show up on the right queries
Checked in on 1.7 branch
In on trunk/branch - closing.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
References from CAN-2004-0421 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421): DEBIAN:DSA-498 http://www.debian.org/security/2004/dsa-498 MANDRAKE:MDKSA-2004:040 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:040 REDHAT:RHSA-2004:180 http://www.redhat.com/support/errata/RHSA-2004-180.html REDHAT:RHSA-2004:181 http://www.redhat.com/support/errata/RHSA-2004-181.html BUGTRAQ:20040429 [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png) http://marc.theaimsgroup.com/?l=bugtraq&m=108334922320309&w=2 TRUSTIX:2004-0025 http://marc.theaimsgroup.com/?l=bugtraq&m=108335030208523&w=2 FEDORA:FEDORA-2004-105 http://marc.theaimsgroup.com/?l=fedora-announce-list&m=108451350029261&w=2 FEDORA:FEDORA-2004-106 http://marc.theaimsgroup.com/?l=fedora-announce-list&m=108451353608968&w=2 libpng-png-dos(16022) http://xforce.iss.net/xforce/xfdb/16022
Adding Jon Granrose to CC list to help round up QA resources for verification
adding tracy to verify on 1.7
Glenn, can you provide a test case or verify this is fixed in 1.7?
There is no exploit, to my knowledge, nor any test case. I have just examined the source code of a fresh checkout of Moz-1.7 and can verify that the bug has been fixed. However, the trunk version of MOZCHANGES wasn't checked in to Moz-1.7.
verified per reporters comments
Status: RESOLVED → VERIFIED
15 years ago
Attachment #147883 - Flags: approval1.4.3?
Comment on attachment 147883 [details] [diff] [review] patch for PNG read-out-of-bounds bug in pngerror a=blizzard
Attachment #147883 - Flags: approval1.4.3? → approval1.4.3+
15 years ago
You need to log in before you can comment on or make changes to this bug.