Re: CVE Request: libpng 1.6.15 Heap Overflow

[endeavor <endeavor () rainbowsandpwnies com>]

I thought it might be helpful to add some additional clarity to this bug.
There were two bugs patched in the latest updates to libpng. The first 
bug is an overflow in png_read_IDAT_data, and is triggerable due to 
checks on image width that were removed a while ago in libpng branches 
1.6.x and 1.5.x. This is the bug against which the following write up 
applies: http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt .
While fixing this bug, John Bowler found a second, unrelated overflow in 
png_combine_row. His mailing list post on that bug is found here: 
http://sourceforge.net/p/png-mng/mailman/message/33172831/ . It looks 
like CVE-2014-9495 was assigned against this bug, but attributed to me 
by accident.
As the fixes to either bug don't fix the other, there are actually two 
overflows that need to be tracked for libpng. People backporting changes 
should ensure they fix both bugs.
Both of these bugs are evidence of a larger issue in libpng 1.6.x and 
1.5.x. Those branches allow abnormally large width and height values. On 
64-bit platforms, widths and heights of 0x7fffffff are still allowed. 
Somewhat smaller, but abnormally large widths, and still very large 
heights, are available on 32-bit platforms. The 1.2.x branch only allows 
for the safer values.
Safe limits can be enabled in these libpng branches with 
-DPNG_SAFE_LIMITS_SUPPORTED. These limits are not enabled by default.
http://sourceforge.net/p/libpng/code/ci/libpng-1.6.16-signed/tree/pngpriv.h#l300
I very strongly recommend individuals building libpng 1.5.x and 1.6.x 
use PNG_SAFE_LIMITS_SUPPORTED.
- Alex Eubanks

On 1/3/2015 6:05 PM, cve-assign () mitre org wrote:
> > I am requesting a CVE for a heap-overflow in libpng 1.6.15. It's my
> > understanding that versions 1.6.9-1.6.15 are vulnerable, and 
> > according to
> > patch notes it looks like some revisions in the 1.5 branch may have been
> > affected as well. However, I've only tested 1.6.15 and can only speak 
> > for
> > it.
> >
> > Link to announcement of new version:
> > http://sourceforge.net/p/png-mng/mailman/message/33173461/
> >
> > Link to a description of the vulnerability:
> > http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt
> >
> > Please let me know!
>
> Use CVE-2014-9495.
>
> ---
>
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]