Closed Bug 550159 Opened 15 years ago Closed 15 years ago

libpng: compression bombs

Categories

(Core :: Graphics: ImageLib, defect)

defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 497056

People

(Reporter: wolfiR, Unassigned)

Details

(Whiteboard: [sg:dupe 497056])

(haven't found it reported somewhere) Doesn't seem to be that critical but anyway reporting here. Name: CVE-2010-0205 The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. Reference: CERT-VN: http://www.kb.cert.org/vuls/id/576029 Reference: BID: http://www.securityfocus.com/bid/38478 Reference: CONFIRM: http://libpng.sourceforge.net/decompression_bombs.html Reference: CONFIRM: http://libpng.sourceforge.net/ADVISORY-1.4.1.html It also is public basically so probably no reason to be hidden. Let decide someone else.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Glenn, this is indeed a dupe, correct?
Whiteboard: [sg:dupe 497056]
Yes, indeed it is a dupe. libpng-1.4.1 was developed specifically to respond to the original bug #497056. Wolfgang, just to clarify: the older libpng versions handle the chunk "properly" but very inefficiently. They produce the correct result but it can take a long time. Mozilla is immune to attacks using highly compressed zTXt or iTXt chunks (or using millions of tEXt chunks) because it ignores them, so only iCCP can be used effectively against mozilla.
Status: RESOLVED → VERIFIED
might as well unhide so we don't pick up more dupes.
Group: core-security
You need to log in before you can comment on or make changes to this bug.