Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Dec 2015 10:36:02 -0500 (EST)
From: cve-assign@...re.org
To: xiaoqixue_1@....com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, yuchen@...l.tsinghua.edu.cn
Subject: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54

> if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288.

> it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 .

>> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and will be
>> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26.

> https://sourceforge.net/p/libpng/bugs/244/

This says the problem was on a "1288 while (kp == ' ')" line but that
seems very confusing because that line doesn't appear to be present in
libpng-1.2.54 or any other version. As far as we can tell, the
unpatched code has

  while (*kp == ' ')

and the patched code has

  while (key_len && *kp == ' ')

See

  http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/

Use CVE-2015-8540.

Any instance of "kp ==" instead of "*kp ==" would have been a
different type of problem but we don't think that problem ever
occurred.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWab8eAAoJEL54rhJi8gl5SlYP/A779vmL+vtcTcO1vhnhU4Z/
hr7Qm2C8sE7TUvgWc7bUqthJjNs4T2jEhgYGGcRHeuzm+qneBVkh3w2R5pD/gn04
/sD2FH+c7MaAMGWWZYzudqgh2zNrVud9zY5VFjJTbNAWGsTnU6ix3A94TC6KUq9C
zLVxrc7c5BxFhvgtg+rdb/TSj9lfzUXNJqVENGONUK3PDth567FvVJkJJPlvxPts
yZx9467dLcR9yJSSWVsDPg4PqhIc2oU6f8fdt9tYI16lc7wMFRn71B2xuvcOvzRO
yWYd8xNvfY+sb0iWwuRgDTI+2b0gd2sDwAHR0KCq2vQwVUQOWa4hhbC0X2UxLOHg
TKwXrXg9HVpXUYQr7wE+QO+V4fLnkUI3mRb+9enVcL9mSvzAA49gtIh6oee+wGeF
dMNWR02dxjitTSK0FcgNvzKLzff2l1K6WSY5cFzrOXqUkNdXZOEHAWGdBYCv0/Sv
LKrz3IoO4kpRRSGk0ZRWDCi7r2fjZQh2BAFWjKMqoMGRG33wLCHqQ5Me65FtleMc
VLfmcITghJHhWi3J9aihshJ6QouoS6jzVaiOnw3X3ZNW4Uw/Jvh5XTDbGbAY93Z+
rZZqMCE1YJqBjvx8N/lGxPJIQHLgw4pT+Z6MKc23EqdchTVEM0Sh39x5RoZKb3Wg
MHAIUGPZQf7YS/kpzTHE
=h4md
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ