550159 - libpng: compression bombs

Status: VERIFIED DUPLICATE of bug 497056

(Core :: Graphics: ImageLib, defect)

Description

[Wolfgang Rosenauer [:wolfiR]]

(haven't found it reported somewhere)

Doesn't seem to be that critical but anyway reporting here.

Name: CVE-2010-0205

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53,
1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed
ancillary-chunk data that has a disproportionately large uncompressed
representation, which allows remote attackers to cause a denial of service
(memory and CPU consumption, and application hang) via a crafted PNG file, as
demonstrated by use of the deflate compression method on data composed of many
occurrences of the same character, related to a "decompression bomb" attack.

Reference: CERT-VN: http://www.kb.cert.org/vuls/id/576029
Reference: BID: http://www.securityfocus.com/bid/38478
Reference: CONFIRM: http://libpng.sourceforge.net/decompression_bombs.html
Reference: CONFIRM: http://libpng.sourceforge.net/ADVISORY-1.4.1.html

It also is public basically so probably no reason to be hidden. Let decide someone else.

Comment 2

[Reed Loden [:reed]]

Glenn, this is indeed a dupe, correct?

Comment 3

[Glenn Randers-Pehrson]

Yes, indeed it is a dupe.  libpng-1.4.1 was developed specifically to
respond to the original bug #497056.

Wolfgang, just to clarify: the older libpng versions handle the chunk "properly" but very inefficiently.  They produce the correct result but it can take a long time.

Mozilla is immune to attacks using highly compressed zTXt or iTXt chunks (or using millions of tEXt chunks) because it ignores them, so only iCCP can be used effectively against mozilla.

Comment 4

[Daniel Veditz [:dveditz]]

might as well unhide so we don't pick up more dupes.