Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Dec 2015 10:41:52 -0500
From: Glenn Randers-Pehrson <glennrp@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request - read underflow in libpng 1.2.55,
 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)

On Fri, Dec 11, 2015 at 10:36 AM, <cve-assign@...re.org> wrote:

> ...
>
> > there is a underflow read in png_check_keyword in pngwutil.c in
> libpng-1.2.54
>
> > if the data of "key" is only ' ' (0x20), it will read a byte before the
> buffer in line 1288.
>
> > it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 .
>
> >> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and
> will be
> >> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26.
>
> > https://sourceforge.net/p/libpng/bugs/244/
>
> This says the problem was on a "1288 while (kp == ' ')" line but that
> seems very confusing because that line doesn't appear to be present in
> libpng-1.2.54 or any other version. As far as we can tell, the
> unpatched code has
>
>   while (*kp == ' ')
>
> and the patched code has
>
>   while (key_len && *kp == ' ')
>

That's correct.  The bug tracker at SourceForge has an unpleasant effect
of removing asterisks, backticks, and whatnot from bug reports, thereby
making the reports very confusing.

Glenn

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ