Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20151211153602.450948BC15E@smtpvmsrv1.mitre.org>
Date: Fri, 11 Dec 2015 10:36:02 -0500 (EST)
From: cve-assign@...re.org
To: xiaoqixue_1@....com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, yuchen@...l.tsinghua.edu.cn
Subject: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54

> if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288.

> it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 .

>> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and will be
>> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26.

> https://sourceforge.net/p/libpng/bugs/244/

This says the problem was on a "1288 while (kp == ' ')" line but that
seems very confusing because that line doesn't appear to be present in
libpng-1.2.54 or any other version. As far as we can tell, the
unpatched code has

  while (*kp == ' ')

and the patched code has

  while (key_len && *kp == ' ')

See

  http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/

Use CVE-2015-8540.

Any instance of "kp ==" instead of "*kp ==" would have been a
different type of problem but we don't think that problem ever
occurred.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWab8eAAoJEL54rhJi8gl5SlYP/A779vmL+vtcTcO1vhnhU4Z/
hr7Qm2C8sE7TUvgWc7bUqthJjNs4T2jEhgYGGcRHeuzm+qneBVkh3w2R5pD/gn04
/sD2FH+c7MaAMGWWZYzudqgh2zNrVud9zY5VFjJTbNAWGsTnU6ix3A94TC6KUq9C
zLVxrc7c5BxFhvgtg+rdb/TSj9lfzUXNJqVENGONUK3PDth567FvVJkJJPlvxPts
yZx9467dLcR9yJSSWVsDPg4PqhIc2oU6f8fdt9tYI16lc7wMFRn71B2xuvcOvzRO
yWYd8xNvfY+sb0iWwuRgDTI+2b0gd2sDwAHR0KCq2vQwVUQOWa4hhbC0X2UxLOHg
TKwXrXg9HVpXUYQr7wE+QO+V4fLnkUI3mRb+9enVcL9mSvzAA49gtIh6oee+wGeF
dMNWR02dxjitTSK0FcgNvzKLzff2l1K6WSY5cFzrOXqUkNdXZOEHAWGdBYCv0/Sv
LKrz3IoO4kpRRSGk0ZRWDCi7r2fjZQh2BAFWjKMqoMGRG33wLCHqQ5Me65FtleMc
VLfmcITghJHhWi3J9aihshJ6QouoS6jzVaiOnw3X3ZNW4Uw/Jvh5XTDbGbAY93Z+
rZZqMCE1YJqBjvx8N/lGxPJIQHLgw4pT+Z6MKc23EqdchTVEM0Sh39x5RoZKb3Wg
MHAIUGPZQf7YS/kpzTHE
=h4md
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.