Date: Fri, 11 Dec 2015 10:36:02 -0500 (EST) From: cve-assign@...re.org To: xiaoqixue_1@....com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, yuchen@...l.tsinghua.edu.cn Subject: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54 > if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288. > it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 . >> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and will be >> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26. > https://sourceforge.net/p/libpng/bugs/244/ This says the problem was on a "1288 while (kp == ' ')" line but that seems very confusing because that line doesn't appear to be present in libpng-1.2.54 or any other version. As far as we can tell, the unpatched code has while (*kp == ' ') and the patched code has while (key_len && *kp == ' ') See http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/ Use CVE-2015-8540. Any instance of "kp ==" instead of "*kp ==" would have been a different type of problem but we don't think that problem ever occurred. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWab8eAAoJEL54rhJi8gl5SlYP/A779vmL+vtcTcO1vhnhU4Z/ hr7Qm2C8sE7TUvgWc7bUqthJjNs4T2jEhgYGGcRHeuzm+qneBVkh3w2R5pD/gn04 /sD2FH+c7MaAMGWWZYzudqgh2zNrVud9zY5VFjJTbNAWGsTnU6ix3A94TC6KUq9C zLVxrc7c5BxFhvgtg+rdb/TSj9lfzUXNJqVENGONUK3PDth567FvVJkJJPlvxPts yZx9467dLcR9yJSSWVsDPg4PqhIc2oU6f8fdt9tYI16lc7wMFRn71B2xuvcOvzRO yWYd8xNvfY+sb0iWwuRgDTI+2b0gd2sDwAHR0KCq2vQwVUQOWa4hhbC0X2UxLOHg TKwXrXg9HVpXUYQr7wE+QO+V4fLnkUI3mRb+9enVcL9mSvzAA49gtIh6oee+wGeF dMNWR02dxjitTSK0FcgNvzKLzff2l1K6WSY5cFzrOXqUkNdXZOEHAWGdBYCv0/Sv LKrz3IoO4kpRRSGk0ZRWDCi7r2fjZQh2BAFWjKMqoMGRG33wLCHqQ5Me65FtleMc VLfmcITghJHhWi3J9aihshJ6QouoS6jzVaiOnw3X3ZNW4Uw/Jvh5XTDbGbAY93Z+ rZZqMCE1YJqBjvx8N/lGxPJIQHLgw4pT+Z6MKc23EqdchTVEM0Sh39x5RoZKb3Wg MHAIUGPZQf7YS/kpzTHE =h4md -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.