===================================================================== CERT-Renater Note d'Information No. 2010/VULN239 _____________________________________________________________________ DATE : 29/06/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running libpng prior to 1.4.3, 1.2.44. ====================================================================== http://www.libpng.org/pub/png/libpng.html http://sourceforge.net/mailarchive/message.php?msg_name=AANLkTimXyyBWInmVHWUR1sGrv2r94OVpqmLm-0gx6Cgi%40mail.gmail.com ______________________________________________________________________ libpng libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over 15 years. The home site for development versions (i.e., may be buggy or subject to change or include experimental features) is http://libpng.sourceforge.net/, and the place to go for questions about the library is the png-mng-implement mailing list. libpng is available as ANSI C (C89) source code and requires zlib 1.0.4 or later (1.2.3 or later recommended for performance and security reasons). The current public release, libpng 1.4.3, contains fixes for two potential security issues: Vulnerability Warning Several versions of libpng through 1.4.2 (and through 1.2.43 in the older series) contain a bug whereby progressive applications such as web browsers (or the rpng2 demo app included in libpng) could receive an extra row of image data beyond the height reported in the header, potentially leading to an out-of-bounds write to memory (depending on how the application is written) and the possibility of execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site). This vulnerability has been assigned ID CVE-2010-1205 (via Mozilla). An additional memory-leak bug, involving images with malformed sCAL chunks, is also present; it could lead to an application crash (denial of service) when viewing such images. Both bugs are fixed in versions 1.4.3 and 1.2.44, released 25 June 2010. See the bottom of this page for warnings about other security and crash bugs in versions up through libpng 1.2.36. In addition to the main library sources, both the 1.4.x series and the older libpng 1.2.43 include the rpng, rpng2 and wpng demo programs, the pngminus demo program, a subset of Willem van Schaik's PngSuite test images, and Willem's VisualPng demo program. __________________________________________________________________________ libpng-1.4.3 and 1.2.44 are available from ftp://ftp.simplesystems.org/pub/png/src and from http://libpng.sf.net and libpng-1.5.0beta31 is available from ftp://ftp/simplesystems.org/pub/png-group/src Changes include Added missing quotation marks in the aix block of configure.ac The new "vstudio" project was missing from the zip and 7z distributions. Rewrote png_process_IDAT_data to consistently treat extra data as warnings and handle end conditions more cleanly. Removed the now-redundant check for out-of-bounds new_row from example.c Changed char *msg to PNG_CONST char *msg in pngrutil.c Stop memory leak when reading a malformed sCAL chunk. Glenn ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================