oss-sec mailing list archives
Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)
From: cve-assign () mitre org
Date: Fri, 11 Dec 2015 10:36:02 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54
if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288.
it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 .
The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and will be fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26.
https://sourceforge.net/p/libpng/bugs/244/
This says the problem was on a "1288 while (kp == ' ')" line but that seems very confusing because that line doesn't appear to be present in libpng-1.2.54 or any other version. As far as we can tell, the unpatched code has while (*kp == ' ') and the patched code has while (key_len && *kp == ' ') See http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/ Use CVE-2015-8540. Any instance of "kp ==" instead of "*kp ==" would have been a different type of problem but we don't think that problem ever occurred. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWab8eAAoJEL54rhJi8gl5SlYP/A779vmL+vtcTcO1vhnhU4Z/ hr7Qm2C8sE7TUvgWc7bUqthJjNs4T2jEhgYGGcRHeuzm+qneBVkh3w2R5pD/gn04 /sD2FH+c7MaAMGWWZYzudqgh2zNrVud9zY5VFjJTbNAWGsTnU6ix3A94TC6KUq9C zLVxrc7c5BxFhvgtg+rdb/TSj9lfzUXNJqVENGONUK3PDth567FvVJkJJPlvxPts yZx9467dLcR9yJSSWVsDPg4PqhIc2oU6f8fdt9tYI16lc7wMFRn71B2xuvcOvzRO yWYd8xNvfY+sb0iWwuRgDTI+2b0gd2sDwAHR0KCq2vQwVUQOWa4hhbC0X2UxLOHg TKwXrXg9HVpXUYQr7wE+QO+V4fLnkUI3mRb+9enVcL9mSvzAA49gtIh6oee+wGeF dMNWR02dxjitTSK0FcgNvzKLzff2l1K6WSY5cFzrOXqUkNdXZOEHAWGdBYCv0/Sv LKrz3IoO4kpRRSGk0ZRWDCi7r2fjZQh2BAFWjKMqoMGRG33wLCHqQ5Me65FtleMc VLfmcITghJHhWi3J9aihshJ6QouoS6jzVaiOnw3X3ZNW4Uw/Jvh5XTDbGbAY93Z+ rZZqMCE1YJqBjvx8N/lGxPJIQHLgw4pT+Z6MKc23EqdchTVEM0Sh39x5RoZKb3Wg MHAIUGPZQf7YS/kpzTHE =h4md -----END PGP SIGNATURE-----
Current thread:
- CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key Wade Mealing (Dec 08)
- CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key xiaoqixue_1 (Dec 09)
- CVE request - a out of bound read bug is found in libdwarf xiaoqixue_1 (Dec 09)
- Re: CVE request - a out of bound read bug is found in libdwarf cve-assign (Dec 09)
- CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) xiaoqixue_1 (Dec 10)
- Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) Glenn Randers-Pehrson (Dec 10)
- Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) Glenn Randers-Pehrson (Dec 17)
- Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) cve-assign (Dec 11)
- Re: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) Glenn Randers-Pehrson (Dec 11)
- CVE request - a out of bound read bug is found in libdwarf xiaoqixue_1 (Dec 09)
- CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key xiaoqixue_1 (Dec 09)