Debian Bug report logs - #476669
libpng: CVE-2008-1382 denial of service and possibly code execution

version graph

Package: libpng; Maintainer for libpng is Anibal Monsalve Salazar <anibal@debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Fri, 18 Apr 2008 11:06:04 UTC

Severity: grave

Tags: security

Found in versions 1.0.18-1, 1.2.15~beta5-1, 1.2.15~beta5-3

Fixed in version 1.2.26-1

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#476669; Package libpng. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: libpng: CVE-2008-1382 denial of service and possibly code execution
Date: Fri, 18 Apr 2008 13:03:22 +0200
[Message part 1 (text/plain, inline)]
Package: libpng
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpng.


CVE-2008-1382[0]:
| libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01
| through 1.4.0beta19 allows context-dependent attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| PNG file with zero length "unknown" chunks, which trigger an access of
| uninitialized memory.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382
    http://security-tracker.debian.net/tracker/CVE-2008-1382

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#476669; Package libpng. Full text and rfc822 format available.

Acknowledgement sent to Aníbal Monsalve Salazar <anibal@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #10 received at 476669@bugs.debian.org (full text, mbox):

From: Aníbal Monsalve Salazar <anibal@debian.org>
To: 476669@bugs.debian.org
Subject: Re: Bug#476669: libpng: CVE-2008-1382 denial of service and possibly code execution
Date: Sat, 19 Apr 2008 17:13:29 +1000
[Message part 1 (text/plain, inline)]
On Fri, Apr 18, 2008 at 07:07:00PM -0400, Glenn Randers-Pehrson wrote:
>I don't think we need to delay the scheduled 21 April release of
>>libpng-1.2.27rc1 and 30 April release of libpng-1.2.27 for this,
>unless problems turn up in the next couple of days.

CVE-2008-1382 will be fixed with libpng-1.2.27 and upstream plans to
release libpng-1.2.27 on 30 April.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#476669; Package libpng. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #15 received at 476669@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Aníbal Monsalve Salazar <anibal@debian.org>, 476669@bugs.debian.org
Subject: Re: Bug#476669: libpng: CVE-2008-1382 denial of service and possibly code execution
Date: Sat, 19 Apr 2008 13:22:38 +0200
[Message part 1 (text/plain, inline)]
Hi Aníbal,
* Aníbal Monsalve Salazar <anibal@debian.org> [2008-04-19 12:51]:
> On Fri, Apr 18, 2008 at 07:07:00PM -0400, Glenn Randers-Pehrson wrote:
> >I don't think we need to delay the scheduled 21 April release of
> >>libpng-1.2.27rc1 and 30 April release of libpng-1.2.27 for this,
> >unless problems turn up in the next couple of days.
> 
> CVE-2008-1382 will be fixed with libpng-1.2.27 and upstream plans to
> release libpng-1.2.27 on 30 April.

What about patching 1.2.15~beta5-3?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#476669; Package libpng. Full text and rfc822 format available.

Acknowledgement sent to Aníbal Monsalve Salazar <anibal@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. Full text and rfc822 format available.

Message #20 received at 476669@bugs.debian.org (full text, mbox):

From: Aníbal Monsalve Salazar <anibal@debian.org>
To: Nico Golde <nion@debian.org>, 476669@bugs.debian.org
Subject: Re: Bug#476669: libpng: CVE-2008-1382 denial of service and possibly code execution
Date: Mon, 21 Apr 2008 16:54:11 +1000
[Message part 1 (text/plain, inline)]
package libpng
block 476669 by 469126
401467 + pending
404514 + pending
431202 + pending
469126 + pending
476669 + pending
thanks

On Sat, Apr 19, 2008 at 01:22:38PM +0200, Nico Golde wrote:
>Hi Aníbal,
>*Aníbal Monsalve Salazar <anibal@debian.org> [2008-04-19 12:51]:
>>On Fri, Apr 18, 2008 at 07:07:00PM -0400, Glenn Randers-Pehrson wrote:
>>>I don't think we need to delay the scheduled 21 April release of
>>>>libpng-1.2.27rc1 and 30 April release of libpng-1.2.27 for this,
>>>unless problems turn up in the next couple of days.
>> 
>>CVE-2008-1382 will be fixed with libpng-1.2.27 and upstream plans to
>>release libpng-1.2.27 on 30 April.
>
>What about patching 1.2.15~beta5-3?

I can't patch 1.2.15~beta5-3, see http://bugs.debian.org/469126

However, I'm currently testing 1.2.26 with the diff between
1.2.26 and 1.2.27beta05 which includes the fix for CVE-2008-1382.

>Cheers
>Nico
>-- 
>Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
>For security reasons, all text in this mail is double-rot13 encrypted.
[signature.asc (application/pgp-signature, inline)]

Blocking bugs of 476669 added: 469126 Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Mon, 21 Apr 2008 07:15:02 GMT) Full text and rfc822 format available.

Tags added: pending Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Mon, 21 Apr 2008 07:36:11 GMT) Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 476669-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 476669-close@bugs.debian.org
Subject: Bug#476669: fixed in libpng 1.2.26-1
Date: Mon, 21 Apr 2008 09:32:05 +0000
Source: libpng
Source-Version: 1.2.26-1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.26-1_alpha.udeb
  to pool/main/libp/libpng/libpng12-0-udeb_1.2.26-1_alpha.udeb
libpng12-0_1.2.26-1_alpha.deb
  to pool/main/libp/libpng/libpng12-0_1.2.26-1_alpha.deb
libpng12-dev_1.2.26-1_alpha.deb
  to pool/main/libp/libpng/libpng12-dev_1.2.26-1_alpha.deb
libpng3_1.2.26-1_all.deb
  to pool/main/libp/libpng/libpng3_1.2.26-1_all.deb
libpng_1.2.26-1.diff.gz
  to pool/main/libp/libpng/libpng_1.2.26-1.diff.gz
libpng_1.2.26-1.dsc
  to pool/main/libp/libpng/libpng_1.2.26-1.dsc
libpng_1.2.26.orig.tar.gz
  to pool/main/libp/libpng/libpng_1.2.26.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 20 Apr 2008 18:22:32 +1000
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source alpha all
Version: 1.2.26-1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 401467 404514 431202 469126 476669
Changes: 
 libpng (1.2.26-1) unstable; urgency=high
 .
   * New upstream release. Closes: #431202
   * Use quilt
     Add 01-legacy.diff
   * Fix CVE-2008-1382 denial of service and possibly code execution
     Add 02-476669-CVE-2008-1382.diff
     Closes: #476669
   * Fix URL in png.5. Closes: #404514
     Add 03-404514-png.5.diff
   * Move examples to libpng12-dev. Closes: #401467
   * Fix "libpng (<= 1.2.20) contains grey-licensed code". Closes: #469126
   * Fix the following lintian issues:
     W: libpng source: debian-rules-ignores-make-clean-error line 37
     W: libpng source: substvar-source-version-is-deprecated libpng12-dev
     W: libpng source: out-of-date-standards-version 3.7.2 (current is 3.7.3)
     W: libpng12-0-udeb udeb: description-contains-homepage
     W: libpng3: description-contains-homepage
     W: libpng12-dev: description-contains-homepage
     W: libpng12-0: package-contains-empty-directory usr/bin/
     W: libpng12-0: package-contains-empty-directory usr/sbin/
     W: libpng12-0: description-contains-homepage
     W: libpng12-0: doc-base-unknown-section libpng12:22 Apps/Programming
Checksums-Sha1: 
 c555adcf397a9bf11a96b90b82887e55b372fd47 1150 libpng_1.2.26-1.dsc
 4bcd9ccddc9cd5d0b0bd507863a906b38e34f407 834150 libpng_1.2.26.orig.tar.gz
 a6948d3a0e3c0882130e62202fc13e55b63bcd14 16958 libpng_1.2.26-1.diff.gz
 8dbdc01748d85751b3541ac971b9213720d93f13 181232 libpng12-0_1.2.26-1_alpha.deb
 71a563dc128fbdf849aa94e2cf7509aa020b1ceb 285866 libpng12-dev_1.2.26-1_alpha.deb
 710dc24cc385fc12c0d6509323edf31fe9a21389 876 libpng3_1.2.26-1_all.deb
 ab6a9cecdce84ef246ba6030be17d024032fd0c9 86648 libpng12-0-udeb_1.2.26-1_alpha.udeb
Checksums-Sha256: 
 6d96ea9c59fa2393ecf4210d5a2435ed2fd0223d3e1850be7fd851af17057542 1150 libpng_1.2.26-1.dsc
 41c0dbf10ba027664e64798d4306dc9670784953bd04297e8fadf00e98691a1f 834150 libpng_1.2.26.orig.tar.gz
 83edd79816bcafff8a3cb4eee09aa69c69f43e94a26b455320640b77617829c1 16958 libpng_1.2.26-1.diff.gz
 dd6183578a5014935cee5d153b89adde11d03e43285c4b06f4283feea53e976b 181232 libpng12-0_1.2.26-1_alpha.deb
 1d4ee438f252091f9ab40b171f01aae4fdc6a5d4ebe62d73a699e0ba248f6201 285866 libpng12-dev_1.2.26-1_alpha.deb
 f2a6f9cb8d1e325ece3a2ce2ac62987b021a29314af4d355b102031a848333f8 876 libpng3_1.2.26-1_all.deb
 0ad2718de01023a520e0b0ae1050e9f197c6d30c65c480f3ba4c33507351d47d 86648 libpng12-0-udeb_1.2.26-1_alpha.udeb
Files: 
 7211eb44c433eca2cdda222c40f2ad3c 1150 libs optional libpng_1.2.26-1.dsc
 160b9d93c84317909e0fa6703b27498d 834150 libs optional libpng_1.2.26.orig.tar.gz
 339425ff67b302ec7b1732f761d0c3da 16958 libs optional libpng_1.2.26-1.diff.gz
 8fc590b5cbc50c98d5447f65e357419a 181232 libs optional libpng12-0_1.2.26-1_alpha.deb
 0cdd7b2906aa4d783a436f815e243296 285866 libdevel optional libpng12-dev_1.2.26-1_alpha.deb
 fa3f512bb4b87a70ce436e3613c2a34e 876 oldlibs optional libpng3_1.2.26-1_all.deb
 131b684dbb55cef213d1b93495456d39 86648 debian-installer extra libpng12-0-udeb_1.2.26-1_alpha.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIDFv5gY5NIXPNpFURAs9DAKCq79sUFn3iZpjEY8+I7NKD5xywewCeNZTK
muxQCD3ZhgWVyhAF2LxSqbo=
=fnVS
-----END PGP SIGNATURE-----





Bug marked as found in version 1.0.18-1. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Sun, 27 Apr 2008 09:06:04 GMT) Full text and rfc822 format available.

Bug marked as found in version 1.2.15~beta5-1. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Sun, 27 Apr 2008 09:06:05 GMT) Full text and rfc822 format available.

Bug marked as found in version 1.2.15~beta5-3. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Sun, 27 Apr 2008 09:06:06 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:49:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 03:04:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.