Debian Bug report logs - #512665
CVE-2008-5907: png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero

version graph

Package: libpng; Maintainer for libpng is Anibal Monsalve Salazar <anibal@debian.org>;

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Thu, 22 Jan 2009 17:15:01 UTC

Severity: normal

Tags: security

Found in version libpng/1.2.15~beta5-1

Fixed in versions 1.2.27-2+lenny1, 1.2.35-1

Done: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#512665; Package libpng. (Thu, 22 Jan 2009 17:15:03 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2008-5907: png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero
Date: Thu, 22 Jan 2009 11:13:07 -0600
[Message part 1 (text/plain, inline)]
Source: libpng
Version: 	1.2.15~beta5-1
Severity: normal
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
horde3.

CVE-2008-5907[1]:
> The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and
> 1.2.x before 1.2.34, might allow context-dependent attackers to set the
> value of an arbitrary memory location to zero via vectors involving
> creation of crafted PNG files with keywords, related to an implicit cast of
> the '\0' character constant to a NULL pointer. NOTE: some sources
> incorrectly report this as a double free vulnerability.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907
     http://security-tracker.debian.net/tracker/CVE-2008-5907

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#512665; Package libpng. (Sat, 14 Mar 2009 21:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Sat, 14 Mar 2009 21:00:02 GMT) Full text and rfc822 format available.

Message #8 received at 512665@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 512665@bugs.debian.org, 516256@bugs.debian.org, team@security.debian.org
Subject: libpng: proposed NMU to fix CVE-2008-5907 and CVE-2009-0040 in lenny
Date: Sat, 14 Mar 2009 21:59:04 +0100
[Message part 1 (text/plain, inline)]
Hi,

I've prepared a NMU to fix CVE-2008-5907 and CVE-2009-0040 in libpng.


Proposed debdiff in attachment.

Cheers,
Giuseppe.
[libpng_1.2.27-2lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>:
You have taken responsibility. (Tue, 14 Jun 2011 00:09:08 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Tue, 14 Jun 2011 00:09:08 GMT) Full text and rfc822 format available.

Message #13 received at 512665-done@bugs.debian.org (full text, mbox):

From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
To: 512665-done@bugs.debian.org
Subject: Re: CVE-2008-5907: png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero
Date: Tue, 14 Jun 2011 00:07:41 +0000
Source: libpng
Version: 1.2.27-2+lenny1

Hi,

This bug already closed in libpng 1.2.27-2+lenny1.

libpng (1.2.27-2+lenny1) stable-security; urgency=high

   * Non-maintainer upload.
   * debian/patches/03-CVE-2008-5907.diff: update pngwutil.c to properly set
     new_key to NULL string. (CVE-2008-5907) (Closes: #512665)
   * debian/patches/04-CVE-2009-0040.diff: initialize pointers in pngread.c,
     pngrtans.c, pngset.c and example.c (CVE-2009-0040) (Closes: #516256)
 -- Giuseppe Iuculano <giuseppe@iuculano.it>  Sat, 14 Mar 2009 21:31:31 +0100

I close this bug.

Best regards,
  Nobuhiro




Marked as fixed in versions 1.2.35-1. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Sun, 23 Sep 2012 21:03:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Sun, 23 Sep 2012 21:03:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:57:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.