oss-sec mailing list archives

Re: CVE Request: libpng memory leak

From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Mon, 28 Mar 2011 11:00:00 -0400 (EDT)


On Tue, 22 Mar 2011, Ludwig Nussel wrote:

libpng has this in it's changelog¹:
version 1.2.39beta05 [August 1, 2009]
 Reject attempt to write iCCP chunk with negative embedded profile length
   (JD Chen)

As it turned out this fixes a DoS (memory consumption on x86_64 and
a segfault on i386) if e.g. GraphicsMagick is used to convert certain
jpeg files to png.
The bug was introduced in 1.2.13beta1:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=0ff85c6923d2c4fca4ac0bad28e387e3b1777d7a#patch19

Then an incomplete attempt to fix it in 1.2.15beta3, due tohttp://bugs.gentoo.org/159216:

http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=948ee23a2a400672b1751cfc646a7467741e9b2e#patch18


This gets CVE-2006-7244

And finally fixed in 1.2.39beta5:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=9e88fcd58c8ce7f2183bc2045e5180cba0043f09#patch19

Since CVE-2006-7244 was a partial fix, this final fix should probably getits own ID.


So, use CVE-2009-5063.

- Steve

Current thread:

CVE Request: libpng memory leak Ludwig Nussel (Mar 22)
- Re: CVE Request: libpng memory leak Steven M. Christey (Mar 28)