Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 9 Jan 2009 13:36:24 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: libpng non issue

I figured I'd put this out in the open before it gets picked up and causes
confusion.

The libpng main page (http://libpng.sourceforge.net/index.html) currently contains
this:

UPDATE 18 December 2008: The latest released versions are libpng-1.0.42 and
libpng-1.2.34. They fix a vulnerability to a possible double-free in
png_check_keyword() while writing various chunk types.

This isn't a double free, nor would I consider it a security bug.  Our libpng
maintainer Tom Lane helped out with this analysis.

As best as I can tell, this is the bug in question:
http://sourceforge.net/mailarchive/forum.php?thread_name=4B6F0239C13D0245820603C036D180BC79FBAA%40CABOTUKEXCH01.cabot.local&forum_name=png-mng-implement

which results in writing a NULL byte to an arbitrary location in memory.

Here is what Tom Lane said about this:

    Some poking around shows that png_check_keyword is called in subroutines
    that *write* PNG chunks, not ones that read them. So the problem could
    only manifest in programs that were creating new PNG files and trying
    to put illegal-per-spec content in them. Also, in typical usage the
    keywords being checked would be constant strings in the app, thus even
    less likely to trigger the overlength error. (It seems likely that this
    code has actually never been executed anywhere, explaining why the bug
    went undetected.)

So unless someone sees a flaw in this analysis, Red Hat has no plans to consider this a security flaw.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.