Re: [png-mng-implement] [oss-security] CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG image with malformed sCAL chunks

[Glenn Randers-Pehrson <glennrp () gmail com>]

I did not intend to reveal the "crashing PNG" before
Firefox 3.5.7 had been released.

Glenn

On Mon, Jul 5, 2010 at 7:32 AM, Marcus Meissner <meissner () suse de> wrote:
> On Wed, Jun 30, 2010 at 05:22:40PM +0200, Marcus Meissner wrote:
> > On Mon, Jun 28, 2010 at 04:26:06PM -0400, Josh Bressers wrote:
> > > ----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
> > >
> > > > Hi Steve, vendors,
> > > >
> > > >    libpng upstream has released latest v1.4.3 and v1.2.44 versions,
> > > > addressing two
> > > > security issues:
> > > > [a], out-of-bounds write to memory -- this already got a CVE id of
> > > > "CVE-2010-1205",
> > > > [b], memory-leak bug, involving images with malformed sCAL chunks,
> > > > which could
> > > >     lead to an application crash.
> > > >
> > > > References:
> > > >    [1] http://www.libpng.org/pub/png/libpng.html
> > > >    [2] https://bugzilla.redhat.com/show_bug.cgi?id=608644
> > > >
> > > > Steve, could you allocate a CVE id for the [b] issue?
> > >
> > > Please use CVE-2010-2249 for issue [b].
> >
> > oss-sec, png-mng-implement ... do you have testimages or a reproducer for the sCAL issue?
> >
> > It would be helpful for our QA :/
>
> As found on:
> http://code.google.com/p/chromium/issues/detail?id=45983
>
> The sample crashing PNG is:
> http://www.ee.oulu.fi/~aki/spark.png
>
> Ciao, Marcus
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> png-mng-implement mailing list
> png-mng-implement () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/png-mng-implement