Closed
Bug 550159
Opened 15 years ago
Closed 15 years ago
libpng: compression bombs
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
VERIFIED
DUPLICATE
of bug 497056
People
(Reporter: wolfiR, Unassigned)
Details
(Whiteboard: [sg:dupe 497056])
(haven't found it reported somewhere)
Doesn't seem to be that critical but anyway reporting here.
Name: CVE-2010-0205
The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53,
1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed
ancillary-chunk data that has a disproportionately large uncompressed
representation, which allows remote attackers to cause a denial of service
(memory and CPU consumption, and application hang) via a crafted PNG file, as
demonstrated by use of the deflate compression method on data composed of many
occurrences of the same character, related to a "decompression bomb" attack.
Reference: CERT-VN: http://www.kb.cert.org/vuls/id/576029
Reference: BID: http://www.securityfocus.com/bid/38478
Reference: CONFIRM: http://libpng.sourceforge.net/decompression_bombs.html
Reference: CONFIRM: http://libpng.sourceforge.net/ADVISORY-1.4.1.html
It also is public basically so probably no reason to be hidden. Let decide someone else.
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment 2•15 years ago
|
||
Glenn, this is indeed a dupe, correct?
Updated•15 years ago
|
Whiteboard: [sg:dupe 497056]
Comment 3•15 years ago
|
||
Yes, indeed it is a dupe. libpng-1.4.1 was developed specifically to
respond to the original bug #497056.
Wolfgang, just to clarify: the older libpng versions handle the chunk "properly" but very inefficiently. They produce the correct result but it can take a long time.
Mozilla is immune to attacks using highly compressed zTXt or iTXt chunks (or using millions of tEXt chunks) because it ignores them, so only iCCP can be used effectively against mozilla.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•