Debian Bug report logs - #572308
CVE-2010-0205 VU#576029 libpng stalls on highly compressed ancillary chunks

version graph

Package: libpng; Maintainer for libpng is Anibal Monsalve Salazar <anibal@debian.org>;

Reported by: Aníbal Monsalve Salazar <anibal@debian.org>

Date: Wed, 3 Mar 2010 05:36:01 UTC

Severity: serious

Tags: security

Found in version 1.2.42-2

Fixed in version libpng/1.2.43-1

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#572308; Package libpng. (Wed, 03 Mar 2010 05:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aníbal Monsalve Salazar <anibal@debian.org>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Wed, 03 Mar 2010 05:36:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Aníbal Monsalve Salazar <anibal@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2010-0205 VU#576029 libpng stalls on highly compressed ancillary chunks
Date: Wed, 3 Mar 2010 16:35:18 +1100
[Message part 1 (text/plain, inline)]
Package: libpng
Version: 1.2.42-2
Severity: serious
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
https://www.kb.cert.org/vuls/id/576029

libpng stalls on highly compressed ancillary chunks

Libpng stalls and consumes large quantities of memory while processing
certain Portable Network Graphics (PNG) files.

When processing PNG files containing highly compressed ancillary chunks,
the png_decompress_chunk() function in libpng can consume large amounts
of CPU time and memory. This resource consumption may hang applications
that use libpng. More information is available in the PNG Development
Group security advisory and supplementary document, Defending Libpng
Applications Against Decompression Bombs.

This vulnerability could allow an unauthenticated, remote attacker to
cause a denial of service.

http://libpng.sourceforge.net/decompression_bombs.html

Libpng provides functions to limit memory consumption and number of
cached ancillary chunks. Applications that use libpng should use these
functions to set appropriate limits. Please see defense #2 in the
document Defending Libpng Applications Against Decompression Bombs (see
web page above) for more information.

Developers who build versions of libpng can choose to ignore ancillary
chunks by defining specific preprocessor macros. Please see defense #3
in the document Defending Libpng Applications Against Decompression
Bombs (see web page above) for more information. 
[signature.asc (application/pgp-signature, inline)]

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Wed, 03 Mar 2010 06:36:04 GMT) Full text and rfc822 format available.

Notification sent to Aníbal Monsalve Salazar <anibal@debian.org>:
Bug acknowledged by developer. (Wed, 03 Mar 2010 06:36:04 GMT) Full text and rfc822 format available.

Message #10 received at 572308-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 572308-close@bugs.debian.org
Subject: Bug#572308: fixed in libpng 1.2.43-1
Date: Wed, 03 Mar 2010 06:33:02 +0000
Source: libpng
Source-Version: 1.2.43-1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.43-1_amd64.udeb
  to main/libp/libpng/libpng12-0-udeb_1.2.43-1_amd64.udeb
libpng12-0_1.2.43-1_amd64.deb
  to main/libp/libpng/libpng12-0_1.2.43-1_amd64.deb
libpng12-dev_1.2.43-1_amd64.deb
  to main/libp/libpng/libpng12-dev_1.2.43-1_amd64.deb
libpng3_1.2.43-1_all.deb
  to main/libp/libpng/libpng3_1.2.43-1_all.deb
libpng_1.2.43-1.debian.tar.bz2
  to main/libp/libpng/libpng_1.2.43-1.debian.tar.bz2
libpng_1.2.43-1.dsc
  to main/libp/libpng/libpng_1.2.43-1.dsc
libpng_1.2.43.orig.tar.bz2
  to main/libp/libpng/libpng_1.2.43.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 572308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 03 Mar 2010 16:44:47 +1100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source all amd64
Version: 1.2.43-1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 572308
Changes: 
 libpng (1.2.43-1) unstable; urgency=high
 .
   * New upstream release
   * Fix CVE-2010-0205 and Cert VU#576029
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
     https://www.kb.cert.org/vuls/id/576029
     Do not stall and consume large quantities of memory while processing
     certain Portable Network Graphics (PNG) files
     Closes: 572308
Checksums-Sha1: 
 2afb9168f1ee49ece9ff19be7a5c3e93a3848645 1823 libpng_1.2.43-1.dsc
 28ea29305d233669ce565894a95151e4427d1f34 678799 libpng_1.2.43.orig.tar.bz2
 27d36018f49372093dda304a68db13e9e74708b5 14960 libpng_1.2.43-1.debian.tar.bz2
 f8f98e63bca43536321e2f57240072f04faafc72 872 libpng3_1.2.43-1_all.deb
 118da0037ecd7f0626451824eef2c558cb8cf5c0 179594 libpng12-0_1.2.43-1_amd64.deb
 270446161cc900b3e9ea569053c8f560583285af 271416 libpng12-dev_1.2.43-1_amd64.deb
 ccaac18232baa5a33309396f1fa4558f69ec6002 73448 libpng12-0-udeb_1.2.43-1_amd64.udeb
Checksums-Sha256: 
 cd12c79d1fb6c7e81124400378761cb5811a7a8bce6c4169f6a92942b8ef7de7 1823 libpng_1.2.43-1.dsc
 c76d5540b0c09e130497be8906e0acadbbf9e299d0aa2258d912c4ee7cacc82a 678799 libpng_1.2.43.orig.tar.bz2
 cbf586b1db272e4922ddcdf2f35a4076397cfb8b99db75afd02191319af97951 14960 libpng_1.2.43-1.debian.tar.bz2
 f5741aa06eb6ee5a36bf88bb9a40393de4cf4b7e91e5d3cad458d3d4557a6b1a 872 libpng3_1.2.43-1_all.deb
 8b7cbae6d9a7b727e46c654f12ab076c7f25526a43df477def67cc1a2f875047 179594 libpng12-0_1.2.43-1_amd64.deb
 de03dded93c909c7cb38d7b07df11cbd763d700eea380eb5140a66c170aab0bd 271416 libpng12-dev_1.2.43-1_amd64.deb
 f223ff63a715b2fbe31542d7400d56047a7fbd4b522b528772f8ad1ab5414ece 73448 libpng12-0-udeb_1.2.43-1_amd64.udeb
Files: 
 9ebf698635bd43f9a2fea30d493af58c 1823 libs optional libpng_1.2.43-1.dsc
 976909556e6613804d810405c1f72ce6 678799 libs optional libpng_1.2.43.orig.tar.bz2
 1e84623a6a42c04719e9e659c6c1407b 14960 libs optional libpng_1.2.43-1.debian.tar.bz2
 cce1469c247a81b118d3dbd5130bd316 872 oldlibs optional libpng3_1.2.43-1_all.deb
 9d599433ab8767726c2b4f9d6af05873 179594 libs optional libpng12-0_1.2.43-1_amd64.deb
 5c02a6570c9a30de97bc37b3dbb58f9c 271416 libdevel optional libpng12-dev_1.2.43-1_amd64.deb
 b0300c7de2de4272f358bfb9046cf469 73448 debian-installer extra libpng12-0-udeb_1.2.43-1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJLjgAmAAoJEHxWrP6UeJfYgLIP/3S2wqzBzz2SNYuRNQ9Jqs+7
Wt+apt9wNPGoqiNPsFUGYbYIEQIc/Y1DMEQ8sArbUUI35ZD6KXJyWuTI7gKpIuh8
ZsJskx8HjQlTTF6S3WmGST7HtZpQiH83XJvL/PPpvDAU9XUonNz0lklIBIY2R4tc
Pxotd/CLk7XBO6iDAEO0TTH3doygfK7JRkRalSs9oVmz6Uln34L/5B1wPDLA7wDa
o++rmVuGmZZDQRqpsZvdNbix+aMcwqICmolPxDQ79xhd/IeY1VzMI/UhwbfiqelV
wEEqzsiVQ4NCm3ruzbOg8MWrG8h4KIGpltCp2XmJLyKpvMYpbOPCuhpw2f5WFzSc
abRut/r1DgP/HBIv8Zc24577HG0ntf14f/2NJUI35acXFdlmUJt8KJklikSZsg4Z
bpGQOiaXvSwK5RQ8I5iNeFDNs4CQYEjQ7wuExjvrgePFKa6Qa2KC/dYxCHjUFrix
OJD1phR7QwSXvIUt9CnnKJwQH7W2cV0PIack/52J2RwYUwSuc8EwGXnVPl3ovKfX
IM2IS3uhYO6xlNJTbyH18Ths3ceurXeE5fgav6xQoz+obJOWywcIoxYRZ6ymnI84
L7mS2npq1l8SfLuu6V+iqLYi3iPJiTKrL1Yc3ZYrm1Js1KUGJI1ElDFnt31S2zPl
k2teJLAFHfnTKskmvHGq
=Ayeb
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 03 Apr 2010 07:29:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:21:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.