Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+PdXctCPbC9Km5yC+GwENxVz-cCYeQVY1Av+1LeU=55CK6YnA@mail.gmail.com>
Date: Fri, 11 Dec 2015 10:41:52 -0500
From: Glenn Randers-Pehrson <glennrp@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request - read underflow in libpng 1.2.55,
 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)

On Fri, Dec 11, 2015 at 10:36 AM, <cve-assign@...re.org> wrote:

> ...
>
> > there is a underflow read in png_check_keyword in pngwutil.c in
> libpng-1.2.54
>
> > if the data of "key" is only ' ' (0x20), it will read a byte before the
> buffer in line 1288.
>
> > it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 .
>
> >> The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and
> will be
> >> fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26.
>
> > https://sourceforge.net/p/libpng/bugs/244/
>
> This says the problem was on a "1288 while (kp == ' ')" line but that
> seems very confusing because that line doesn't appear to be present in
> libpng-1.2.54 or any other version. As far as we can tell, the
> unpatched code has
>
>   while (*kp == ' ')
>
> and the patched code has
>
>   while (key_len && *kp == ' ')
>

That's correct.  The bug tracker at SourceForge has an unpleasant effect
of removing asterisks, backticks, and whatnot from bug reports, thereby
making the reports very confusing.

Glenn

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.