Date: Fri, 11 Dec 2015 10:41:52 -0500 From: Glenn Randers-Pehrson <glennrp@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) On Fri, Dec 11, 2015 at 10:36 AM, <cve-assign@...re.org> wrote: > ... > > > there is a underflow read in png_check_keyword in pngwutil.c in > libpng-1.2.54 > > > if the data of "key" is only ' ' (0x20), it will read a byte before the > buffer in line 1288. > > > it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 . > > >> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and > will be > >> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26. > > > https://sourceforge.net/p/libpng/bugs/244/ > > This says the problem was on a "1288 while (kp == ' ')" line but that > seems very confusing because that line doesn't appear to be present in > libpng-1.2.54 or any other version. As far as we can tell, the > unpatched code has > > while (*kp == ' ') > > and the patched code has > > while (key_len && *kp == ' ') > That's correct. The bug tracker at SourceForge has an unpleasant effect of removing asterisks, backticks, and whatnot from bug reports, thereby making the reports very confusing. Glenn
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ