libpng12-0: libpng-1.2.44 crashes with electric fence memory debugger

Debian Bug report logs - #668082
libpng12-0: libpng-1.2.44 crashes with electric fence memory debugger

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpng12-0: libpng-1.2.44 crashes with electric fence memory debugger

Date: Sun, 08 Apr 2012 20:01:47 +0200

[Message part 1 (text/plain, inline)]

Package: libpng12-0
Version: 1.2.44-1+squeeze4
Severity: grave
Tags: security
Justification: user security hole

Debian libpng crashes when loading corruted image, I placed the image here:
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/debian-
libpng-1.2.44-crash.png

How to reproduce:
install links2 and electric-fence package
run:
LD_PRELOAD=/usr/lib/libefence.so EF_ALIGNMENT=0 links2 -g
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/debian-
libpng-1.2.44-crash.png

You get a crash in inflate.

I tried it on upstream libpng, upstream versions up to 1.2.47 crash. 1.2.48 and
1.2.49 dont' crash.

A backtrace of the upstream crash:

Program terminated with signal 11, Segmentation fault.
#0  0x00007fd202b4338f in inflate (strm=0x7fd1fe3c7c40, flush=1)
    at inflate.c:649
649                 NEEDBITS(16);
(gdb) bt
#0  0x00007fd202b4338f in inflate (strm=0x7fd1fe3c7c40, flush=1)
    at inflate.c:649
#1  0x00007fd2029304de in png_push_read_zTXt (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30) at pngpread.c:1405
#2  0x00007fd20292d7d0 in png_process_some_data (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30) at pngpread.c:85
#3  0x00007fd20292d70a in png_process_data (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30, buffer=0x7fd1fe976d03 "\211PNG\r\n\032\n",
    buffer_size=757) at pngpread.c:41

(gdb) frame 1
#1  0x00007fd2029304de in png_push_read_zTXt (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30) at pngpread.c:1405
1405             ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
(gdb) print png_ptr->zstream
$1 = {next_in = 0x7fd1fe3d4000 "", avail_in = 4294967295, total_in = 0,
  next_out = 0x7fd1fe3c9000 "Copyright Willem van Schaik, Singapore 1995",
  avail_out = 8192, total_out = 0, msg = 0x0, state = 0x7fd1fe3cc410,
  zalloc = 0x7fd20290884d <png_zalloc>, zfree = 0x7fd20290891a <png_zfree>,
  opaque = 0x7fd1fe3c7b10, data_type = 64, adler = 1, reserved = 0}

The crash is caused by libpng filling too big value to "avail_in" field.

This bug is already fixed in libpng-1.2.48 (the buggy function
png_push_read_zTXt is removed), but Debian didn't backport the fix.



-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=cs_CZ, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpng12-0 depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libpng12-0 recommends no packages.

libpng12-0 suggests no packages.

-- no debconf information

[file.png (image/png, attachment)]

Message #10 received at 668082@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>, 668082@bugs.debian.org

Subject: Re: Bug#668082: libpng12-0: libpng-1.2.44 crashes with electric fence memory debugger

Date: Sun, 08 Apr 2012 19:04:43 +0100

On Sun, 2012-04-08 at 20:01 +0200, Mikulas Patocka wrote:
> install links2 and electric-fence package
> run:
> LD_PRELOAD=/usr/lib/libefence.so EF_ALIGNMENT=0 links2 -g
> http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/debian-
> libpng-1.2.44-crash.png
> 
> You get a crash in inflate.

Have you actually verified that the crash has any security impact, or is
this just conjecture?

> I tried it on upstream libpng, upstream versions up to 1.2.47 crash. 1.2.48 and
> 1.2.49 dont' crash.
[...]
> This bug is already fixed in libpng-1.2.48 (the buggy function
> png_push_read_zTXt is removed), but Debian didn't backport the fix.

Removal of functions from shared libraries isn't really something that's
going to get backported.

Regards,

Adam

Message #15 received at 668082@bugs.debian.org (full text, mbox, reply):

From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: 668082@bugs.debian.org

Subject: Re: Bug#668082: libpng12-0: libpng-1.2.44 crashes with electric fence memory debugger

Date: Sun, 8 Apr 2012 20:49:52 +0200 (CEST)

On Sun, 8 Apr 2012, Adam D. Barratt wrote:

> On Sun, 2012-04-08 at 20:01 +0200, Mikulas Patocka wrote:
> > install links2 and electric-fence package
> > run:
> > LD_PRELOAD=/usr/lib/libefence.so EF_ALIGNMENT=0 links2 -g
> > http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/debian-
> > libpng-1.2.44-crash.png
> > 
> > You get a crash in inflate.
> 
> Have you actually verified that the crash has any security impact, or is
> this just conjecture?

It passes (unsigned)-1 into png_ptr->zstream.avail_in --- so it reads data 
beyond end --- so it can cause crash or reading unauthorized data. I think 
it can't cause a write out of allocated memory.

The function png_push_read_zTXt checks that
text < key + png_ptr->current_text_size, then it increments text twice, 
and then it sets
png_ptr->zstream.avail_in = (uInt)(png_ptr->current_text_size - (text - 
key));

--- so it sets avail_in to (uInt)-1.

> > I tried it on upstream libpng, upstream versions up to 1.2.47 crash. 1.2.48 and
> > 1.2.49 dont' crash.
> [...]
> > This bug is already fixed in libpng-1.2.48 (the buggy function
> > png_push_read_zTXt is removed), but Debian didn't backport the fix.
> 
> Removal of functions from shared libraries isn't really something that's
> going to get backported.

That function isn't exported anyway, so you can remove it.

If you don't want to go with upstream changes, then fix it. The patch 
below fixes the crash.

> Regards,
> 
> Adam

Mikulas

---
 pngpread.c |    7 +++++++
 1 file changed, 7 insertions(+)

Index: libpng-1.2.47/pngpread.c
===================================================================
--- libpng-1.2.47.orig/pngpread.c	2012-04-08 20:44:37.000000000 +0200
+++ libpng-1.2.47/pngpread.c	2012-04-08 20:47:17.000000000 +0200
@@ -1380,6 +1380,13 @@ png_push_read_zTXt(png_structp png_ptr,
 
       text++;
 
+      if (text >= key + png_ptr->current_text_size)
+      {
+         png_ptr->current_text = NULL;
+         png_free(png_ptr, key);
+         return;
+      }
+
       if (*text != PNG_TEXT_COMPRESSION_zTXt) /* Check compression byte */
       {
          png_ptr->current_text = NULL;

Message #20 received at 668082-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>

To: 668082-close@bugs.debian.org

Subject: Bug#668082: fixed in libpng 1.2.49-1

Date: Mon, 09 Apr 2012 03:02:30 +0000

Source: libpng
Source-Version: 1.2.49-1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.49-1_mipsel.udeb
  to main/libp/libpng/libpng12-0-udeb_1.2.49-1_mipsel.udeb
libpng12-0_1.2.49-1_mipsel.deb
  to main/libp/libpng/libpng12-0_1.2.49-1_mipsel.deb
libpng12-dev_1.2.49-1_mipsel.deb
  to main/libp/libpng/libpng12-dev_1.2.49-1_mipsel.deb
libpng3_1.2.49-1_mipsel.deb
  to main/libp/libpng/libpng3_1.2.49-1_mipsel.deb
libpng_1.2.49-1.debian.tar.bz2
  to main/libp/libpng/libpng_1.2.49-1.debian.tar.bz2
libpng_1.2.49-1.dsc
  to main/libp/libpng/libpng_1.2.49-1.dsc
libpng_1.2.49.orig.tar.bz2
  to main/libp/libpng/libpng_1.2.49.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 668082@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Apr 2012 12:08:13 +1000
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source mipsel
Version: 1.2.49-1
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 667475 668082
Changes: 
 libpng (1.2.49-1) unstable; urgency=high
 .
   * New upstream version 1.2.49
     - Fix CVE-2011-3048 (memory corruption flaw)
       Closes: 667475
     - Don't crash with electric fence memory debugger
       Closes: 668082
   * Merged upstream: 02-665208-CVE-2012-3045.patch
Checksums-Sha1: 
 97bc62e067dd4f028dca4cafc37ca889eed077b5 1976 libpng_1.2.49-1.dsc
 93cdd7e4fe01b490cf045e3f354ab38f0200c540 669011 libpng_1.2.49.orig.tar.bz2
 b66e6fbaa296a21a2c19922393111c0f1b503a0e 15926 libpng_1.2.49-1.debian.tar.bz2
 954068cd8d070e297f4bf0ffdcc636b6db112b9d 184718 libpng12-0_1.2.49-1_mipsel.deb
 6af14f453cccb01fd66bd2343c409c1ce5ca3b02 274834 libpng12-dev_1.2.49-1_mipsel.deb
 ce0ee517ecd9be13b4543b8d950bec4797ef3e50 950 libpng3_1.2.49-1_mipsel.deb
 fc7edba93fef4acbcf7c9b48000f3dae11a245e1 70266 libpng12-0-udeb_1.2.49-1_mipsel.udeb
Checksums-Sha256: 
 de69dd0f9a8b4758d991cafb43afbec6c92f1e9c175e48ad399cd28273c2d309 1976 libpng_1.2.49-1.dsc
 fbf8faa70ebca2ed2ee6df6f2249f4722517b581af5b6c3c71bbdaf925d5954e 669011 libpng_1.2.49.orig.tar.bz2
 02c9d8ae3e62eb7fc7848827957b23f0b3120f59c9254b255417d371a2f17929 15926 libpng_1.2.49-1.debian.tar.bz2
 16977d7395735909a35168a45581e7ab3a911e24ff6f08fa2e2804d0232599a2 184718 libpng12-0_1.2.49-1_mipsel.deb
 fe34f6ee1dcba4428005363115830b69ea4ed3de2d4a4299025faca525c78425 274834 libpng12-dev_1.2.49-1_mipsel.deb
 2c6f73ee7ec6a3b981a7da6ddee169f031a85735ede482b9db68b643a89a1450 950 libpng3_1.2.49-1_mipsel.deb
 a1ee89fc2f4c2c7c97d24f929599c4d5bb74f33b9161815484cc1d550acf830e 70266 libpng12-0-udeb_1.2.49-1_mipsel.udeb
Files: 
 e76f6a73dc3957d394277c502c23728b 1976 libs optional libpng_1.2.49-1.dsc
 d5106b70b4f8b464a7da66bffe4565fb 669011 libs optional libpng_1.2.49.orig.tar.bz2
 255fa917ea45c837c1635de4eee936d5 15926 libs optional libpng_1.2.49-1.debian.tar.bz2
 5df8b116c4dbabb51226cf0c0c1e1fbd 184718 libs optional libpng12-0_1.2.49-1_mipsel.deb
 074dc66c38daca0d1148127bd2e2b9bd 274834 libdevel optional libpng12-dev_1.2.49-1_mipsel.deb
 5c1434b8e011f72ade7412b72ebf5d29 950 oldlibs optional libpng3_1.2.49-1_mipsel.deb
 f789f9da1a18de2dc464bf54657f0409 70266 debian-installer extra libpng12-0-udeb_1.2.49-1_mipsel.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPgk6CAAoJEHxWrP6UeJfYB04P/0fgXdXUf/RyzPSw1vAadaSM
j3bPqqfwNIDA88fEGAPtF5MfMDBjFZwzmXj3Lpjr5NBCVDPVA44Yb7e3pjVW9IkG
XCUgl2J0us0q/8XcITMe2y7wY9WgKweZfj/rpPGB/ED2M3hYZ/VJXp0Ib/Fv4ztY
2hmqEjtP5aqhOfCDwEA7GZKM+aE1ZdakRZZ6vZMw7+rHlywfWLDRUdxcZVk4Fhlj
eeHIQTRDZNA77+tvGBP6FScbwGi82rEI/Ns5r6Xj7G9cMPcqkDylTay+p/aHv35a
fI9//B0UChmrVxnL6MP6Huf8f0dVExQQrpEfWT1+7MLPRMsHuC7IxNUV0s6P3nV/
Hs9fJyI8bCfBhU09WmZV+pXf5b6S5dqEIL+kosPxjUyRqI1fMK4aTyhPe8McaGwj
YVI3ZetqoaOcBOMjw3YroTpTyxAYwpprSWbyaOtZHUyLlNEIZ9MVX4N1RL7wVet+
9VUkQPFBU7iMy51hFcsu/t9FMpNaYnBqmwd1jMWfjgnDWS32SMLfxKboxAZvjM9V
rDNvh9CFDSRJSP4VCEjipkvXd/JnTcgbskO45pox5JXhHG9Ye3BAm728IkaAgfUL
uJfamXJWGhDBIo1ORyx1e7ZX2eqZZjNW9ILUtkPYf7+Gq86nvwloEwlzeph5yykd
eqbfD373LBcmBm6wAeAK
=JLWT
-----END PGP SIGNATURE-----

Message #29 received at 668082@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 668082@bugs.debian.org

Subject: Re: libpng12-0: libpng-1.2.44 crashes with electric fence memory debugger

Date: Tue, 31 Jul 2012 13:45:30 -0000

Package: libpng12-0

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/668082/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.