Date: Fri, 11 Dec 2015 10:41:52 -0500 From: Glenn Randers-Pehrson <glennrp@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) On Fri, Dec 11, 2015 at 10:36 AM, <cve-assign@...re.org> wrote: > ... > > > there is a underflow read in png_check_keyword in pngwutil.c in > libpng-1.2.54 > > > if the data of "key" is only ' ' (0x20), it will read a byte before the > buffer in line 1288. > > > it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 . > > >> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and > will be > >> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26. > > > https://sourceforge.net/p/libpng/bugs/244/ > > This says the problem was on a "1288 while (kp == ' ')" line but that > seems very confusing because that line doesn't appear to be present in > libpng-1.2.54 or any other version. As far as we can tell, the > unpatched code has > > while (*kp == ' ') > > and the patched code has > > while (key_len && *kp == ' ') > That's correct. The bug tracker at SourceForge has an unpleasant effect of removing asterisks, backticks, and whatnot from bug reports, thereby making the reports very confusing. Glenn
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.