Date: Fri, 11 Dec 2015 10:36:02 -0500 (EST) From: cve-assign@...re.org To: xiaoqixue_1@....com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, yuchen@...l.tsinghua.edu.cn Subject: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54 > if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288. > it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 . >> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and will be >> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26. > https://sourceforge.net/p/libpng/bugs/244/ This says the problem was on a "1288 while (kp == ' ')" line but that seems very confusing because that line doesn't appear to be present in libpng-1.2.54 or any other version. As far as we can tell, the unpatched code has while (*kp == ' ') and the patched code has while (key_len && *kp == ' ') See http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/ Use CVE-2015-8540. Any instance of "kp ==" instead of "*kp ==" would have been a different type of problem but we don't think that problem ever occurred. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWab8eAAoJEL54rhJi8gl5SlYP/A779vmL+vtcTcO1vhnhU4Z/ hr7Qm2C8sE7TUvgWc7bUqthJjNs4T2jEhgYGGcRHeuzm+qneBVkh3w2R5pD/gn04 /sD2FH+c7MaAMGWWZYzudqgh2zNrVud9zY5VFjJTbNAWGsTnU6ix3A94TC6KUq9C zLVxrc7c5BxFhvgtg+rdb/TSj9lfzUXNJqVENGONUK3PDth567FvVJkJJPlvxPts yZx9467dLcR9yJSSWVsDPg4PqhIc2oU6f8fdt9tYI16lc7wMFRn71B2xuvcOvzRO yWYd8xNvfY+sb0iWwuRgDTI+2b0gd2sDwAHR0KCq2vQwVUQOWa4hhbC0X2UxLOHg TKwXrXg9HVpXUYQr7wE+QO+V4fLnkUI3mRb+9enVcL9mSvzAA49gtIh6oee+wGeF dMNWR02dxjitTSK0FcgNvzKLzff2l1K6WSY5cFzrOXqUkNdXZOEHAWGdBYCv0/Sv LKrz3IoO4kpRRSGk0ZRWDCi7r2fjZQh2BAFWjKMqoMGRG33wLCHqQ5Me65FtleMc VLfmcITghJHhWi3J9aihshJ6QouoS6jzVaiOnw3X3ZNW4Uw/Jvh5XTDbGbAY93Z+ rZZqMCE1YJqBjvx8N/lGxPJIQHLgw4pT+Z6MKc23EqdchTVEM0Sh39x5RoZKb3Wg MHAIUGPZQf7YS/kpzTHE =h4md -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ