Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 09 Jan 2015 18:54:32 -0600
From: endeavor <endeavor@...nbowsandpwnies.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: CVE Request: libpng 1.6.15 Heap Overflow

I thought it might be helpful to add some additional clarity to this bug.
There were two bugs patched in the latest updates to libpng. The first 
bug is an overflow in png_read_IDAT_data, and is triggerable due to 
checks on image width that were removed a while ago in libpng branches 
1.6.x and 1.5.x. This is the bug against which the following write up 
applies: http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt .
While fixing this bug, John Bowler found a second, unrelated overflow in 
png_combine_row. His mailing list post on that bug is found here: 
http://sourceforge.net/p/png-mng/mailman/message/33172831/ . It looks 
like CVE-2014-9495 was assigned against this bug, but attributed to me 
by accident.
As the fixes to either bug don't fix the other, there are actually two 
overflows that need to be tracked for libpng. People backporting changes 
should ensure they fix both bugs.
Both of these bugs are evidence of a larger issue in libpng 1.6.x and 
1.5.x. Those branches allow abnormally large width and height values. On 
64-bit platforms, widths and heights of 0x7fffffff are still allowed. 
Somewhat smaller, but abnormally large widths, and still very large 
heights, are available on 32-bit platforms. The 1.2.x branch only allows 
for the safer values.
Safe limits can be enabled in these libpng branches with 
-DPNG_SAFE_LIMITS_SUPPORTED. These limits are not enabled by default.
http://sourceforge.net/p/libpng/code/ci/libpng-1.6.16-signed/tree/pngpriv.h#l300
I very strongly recommend individuals building libpng 1.5.x and 1.6.x 
use PNG_SAFE_LIMITS_SUPPORTED.
- Alex Eubanks

On 1/3/2015 6:05 PM, cve-assign@...re.org wrote:
>
>> I am requesting a CVE for a heap-overflow in libpng 1.6.15. It's my
>> understanding that versions 1.6.9-1.6.15 are vulnerable, and 
>> according to
>> patch notes it looks like some revisions in the 1.5 branch may have been
>> affected as well. However, I've only tested 1.6.15 and can only speak 
>> for
>> it.
>>
>> Link to announcement of new version:
>> http://sourceforge.net/p/png-mng/mailman/message/33173461/
>>
>> Link to a description of the vulnerability:
>> http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt
>>
>> Please let me know!
>
> Use CVE-2014-9495.
>
> ---
>
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.