Debian Bug report logs - #516256
[SA33970] libpng Uninitialised Pointer Arrays Vulnerability

version graph

Package: libpng; Maintainer for libpng is Anibal Monsalve Salazar <anibal@debian.org>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Fri, 20 Feb 2009 07:21:01 UTC

Severity: serious

Tags: security

Found in versions 1.2.33-2, 1.2.27-2

Fixed in version libpng/1.2.35-1

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#516256; Package libpng. (Fri, 20 Feb 2009 07:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Anibal Monsalve Salazar <anibal@debian.org>. (Fri, 20 Feb 2009 07:21:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [SA33970] libpng Uninitialised Pointer Arrays Vulnerability
Date: Fri, 20 Feb 2009 08:17:23 +0100
Package: libpng
Version: 1.2.33-2
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for libpng:

SA33970[1]

> DESCRIPTION:
> A vulnerability has been reported in libpng, which can be exploited
> by malicious people to cause a DoS (Denial of Service) or to
> potentially compromise an application using the library.
> 
> The vulnerability is caused due to the library improperly
> initialising certain pointer arrays prior to freeing array elements
> in case the application runs out of memory. This can potentially be
> exploited to cause a memory corruption via a specially crafted PNG
> file.
> 
> Successful exploitation may allow execution of arbitrary code.
> 
> The vulnerability is reported in versions prior to 1.0.43 and 1.2.35.
> 
> SOLUTION:
> Update to version 1.0.43 or 1.2.35.
> 
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits Tavis Ormandy.
> 
> ORIGINAL ADVISORY:
> http://sourceforge.net/mailarchive/message.php?msg_name=e56ccc8f0902181726i200f4bf0n20d919473ec409b7%40mail.gmail.com

If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.

[1]http://secunia.com/advisories/33970/

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmeWP0ACgkQNxpp46476ard4ACglM1D7zbtmMmwPFIOMdTNqv4o
hPIAniyEtTJQdNb2NaH6J1ZNSj9qDx0a
=c6uu
-----END PGP SIGNATURE-----




Bug marked as found in version 1.2.27-2. Request was from AnĂ­bal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Sat, 21 Feb 2009 09:39:19 GMT) Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Sat, 21 Feb 2009 09:48:16 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 21 Feb 2009 09:48:16 GMT) Full text and rfc822 format available.

Message #12 received at 516256-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 516256-close@bugs.debian.org
Subject: Bug#516256: fixed in libpng 1.2.35-1
Date: Sat, 21 Feb 2009 09:32:04 +0000
Source: libpng
Source-Version: 1.2.35-1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.35-1_amd64.udeb
  to pool/main/libp/libpng/libpng12-0-udeb_1.2.35-1_amd64.udeb
libpng12-0_1.2.35-1_amd64.deb
  to pool/main/libp/libpng/libpng12-0_1.2.35-1_amd64.deb
libpng12-dev_1.2.35-1_amd64.deb
  to pool/main/libp/libpng/libpng12-dev_1.2.35-1_amd64.deb
libpng3_1.2.35-1_all.deb
  to pool/main/libp/libpng/libpng3_1.2.35-1_all.deb
libpng_1.2.35-1.diff.gz
  to pool/main/libp/libpng/libpng_1.2.35-1.diff.gz
libpng_1.2.35-1.dsc
  to pool/main/libp/libpng/libpng_1.2.35-1.dsc
libpng_1.2.35.orig.tar.gz
  to pool/main/libp/libpng/libpng_1.2.35.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Feb 2009 15:50:52 +1100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source all amd64
Version: 1.2.35-1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 486415 516256
Changes: 
 libpng (1.2.35-1) unstable; urgency=high
 .
   * New upstream release
     - http://secunia.com/advisories/33970/
       Fix a vulnerability reported by Tavis Ormandy in which
       some arrays of pointers are not initialized prior to using
       "malloc" to define the pointers.
       Closes: #516256
     - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5907
       The png_check_keyword function in pngwutil.c in libpng, might
       allow context-dependent attackers to set the value of an
       arbitrary memory location to zero via vectors involving
       creation of crafted PNG files with keywords, related to an
       implicit cast of the '\0' character constant to a NULL pointer.
   * Don't build libpng3 when binary-indep target is not called.
     Closes: #486415
Checksums-Sha1: 
 1a3536998ef0531bfd243a92ee0844ff841661f5 1172 libpng_1.2.35-1.dsc
 b57475ab05f8c2da1ad440cbd5b007e623f1f360 802267 libpng_1.2.35.orig.tar.gz
 0c0e691e43f7b3f0793b7e5afb4c8faf467e8374 14811 libpng_1.2.35-1.diff.gz
 29e58340cc355c2626ee84259f9c08f7e3c9dcb0 878 libpng3_1.2.35-1_all.deb
 9cd88243bfb929babcdc8ede5b3b3b2a27bcda39 169370 libpng12-0_1.2.35-1_amd64.deb
 dc64f52fe6ca1911c9747be2e4acf642dfe30d5e 259142 libpng12-dev_1.2.35-1_amd64.deb
 b4ec03785eb6a0c55b945abfba2cd572e8fd9fcd 71912 libpng12-0-udeb_1.2.35-1_amd64.udeb
Checksums-Sha256: 
 4e14341176c33ac6785dc67db34c6d3665d44d84a7afbee5a9dd4db3b92cf1c6 1172 libpng_1.2.35-1.dsc
 1da5c80096e8a014911e00fab4661c0f77ce523ae4d41308815f307ee709fc7f 802267 libpng_1.2.35.orig.tar.gz
 ce62062778b629e0f58f9b8922a21949a9be165d2125c1c8133c1b6510577d32 14811 libpng_1.2.35-1.diff.gz
 1d2dea1f7ecac465d55a4de34d2350f1c4c94452dec120f51bb100e165b679fd 878 libpng3_1.2.35-1_all.deb
 b2a1eb183650eb0cc17b16c2d6e4f62dc16afa1a103385fa8cf3a970aaa47ea1 169370 libpng12-0_1.2.35-1_amd64.deb
 bef5be75f3ce1912c231474a9c229ead7d7c61c6a90dd42ab312470235dd2ac4 259142 libpng12-dev_1.2.35-1_amd64.deb
 39baaa330b2c04fa680e6c5d6b2f558b3f0c4b6c0ca104b9e049157f0c435e5e 71912 libpng12-0-udeb_1.2.35-1_amd64.udeb
Files: 
 bbbe4f30595ec66790e7d3f54f67a17b 1172 libs optional libpng_1.2.35-1.dsc
 8ca6246930a57d5be7adc7c4e7fb5e00 802267 libs optional libpng_1.2.35.orig.tar.gz
 dcfc7a5ce5ed9e6cc8875328f1d0b707 14811 libs optional libpng_1.2.35-1.diff.gz
 ca1fe8f6e06dbc852b2a096c962fd04d 878 oldlibs optional libpng3_1.2.35-1_all.deb
 a66c02034b86eb31ef18cc9073b0258b 169370 libs optional libpng12-0_1.2.35-1_amd64.deb
 106a312f7dc70cd06409138c362d00ca 259142 libdevel optional libpng12-dev_1.2.35-1_amd64.deb
 4d875d98ee11d83eb43d4aa96e78d6b0 71912 debian-installer extra libpng12-0-udeb_1.2.35-1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmfxjwACgkQgY5NIXPNpFWbngCgjjuX270GU6jxxWttXVCccgyw
la4AnR2MnRxLIEngf3Rf9MLhCSvdfnls
=f0pc
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#516256; Package libpng. (Sat, 14 Mar 2009 21:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Sat, 14 Mar 2009 21:00:03 GMT) Full text and rfc822 format available.

Message #17 received at 516256@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 512665@bugs.debian.org, 516256@bugs.debian.org, team@security.debian.org
Subject: libpng: proposed NMU to fix CVE-2008-5907 and CVE-2009-0040 in lenny
Date: Sat, 14 Mar 2009 21:59:04 +0100
[Message part 1 (text/plain, inline)]
Hi,

I've prepared a NMU to fix CVE-2008-5907 and CVE-2009-0040 in libpng.


Proposed debdiff in attachment.

Cheers,
Giuseppe.
[libpng_1.2.27-2lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 09:18:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:17:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.