libpng: CVE-2006-3334: DoS/buffer overflow to code execution

Debian Bug report logs - #377298
libpng: CVE-2006-3334: DoS/buffer overflow to code execution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpng: CVE-2006-3334: DoS/buffer overflow to code execution

Date: Fri, 07 Jul 2006 22:41:56 -0400

[Message part 1 (text/plain, inline)]

Package: libpng
Version: 1.2.8rel-5.1 1.0.18-1 1.0.12-3.woody.9
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3334: "Buffer overflow in the png_decompress_chunk function in
pngrutil.c in libpng before 1.2.12 allows context-dependent attackers
to cause a denial of service and possibly execute arbitrary code via
unspecified vectors related to "chunk error processing," possibly
involving the "chunk_name"."

This was announced by upstream and fixed in 1.2.12 and 10.0.20.  The
versions in Sarge and Woody are vulnerable.  I have not seen a sample
exploit.

Attached is a patch that applies to all the sarge and woody versions
with a bit of offset.  I couldn't find a public version control system,
so I created this patch from a diff between 1.0.19 and 1.0.20; it's the
same diff as from 1.2.11 to 1.2.12.  If you wade through all the version
changes, the only file touched is pngrutil.c.

Please mention the CVE in your changelog.

Thanks,

Alec

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErxt0Aud/2YgchcQRAtGAAJ9BzbLTRtgoTvXDlMpkq0PY8QusCgCeJqAy
iAio7/ZrXhcIZN45XnWnJag=
=tG1l
-----END PGP SIGNATURE-----

[1.0.19_to_1.0.20.diff (text/x-c, attachment)]

Message #12 received at 377298-done@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sesse@debian.org>

To: 377298-done@bugs.debian.org

Subject: Re: Fixed in NMU of libpng 1.2.8rel-5.2

Date: Sun, 16 Jul 2006 16:42:18 +0200

Version: 1.2.8rel-5.2

I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:

>  libpng (1.2.8rel-5.2) unstable; urgency=low
>  .
>    * Non-maintainer upload.
>    * Backport changes from 1.2.12 to fix a buffer overflow in
>      png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334]
>      (Closes: #377298)

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Message #17 received at 377298-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>

To: 377298-close@bugs.debian.org

Subject: Bug#377298: fixed in libpng 1.2.8rel-7

Date: Mon, 16 Oct 2006 02:05:44 -0700

Source: libpng
Source-Version: 1.2.8rel-7

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:

libpng12-0-udeb_1.2.8rel-7_i386.udeb
  to pool/main/libp/libpng/libpng12-0-udeb_1.2.8rel-7_i386.udeb
libpng12-0_1.2.8rel-7_i386.deb
  to pool/main/libp/libpng/libpng12-0_1.2.8rel-7_i386.deb
libpng12-dev_1.2.8rel-7_i386.deb
  to pool/main/libp/libpng/libpng12-dev_1.2.8rel-7_i386.deb
libpng3_1.2.8rel-7_all.deb
  to pool/main/libp/libpng/libpng3_1.2.8rel-7_all.deb
libpng_1.2.8rel-7.diff.gz
  to pool/main/libp/libpng/libpng_1.2.8rel-7.diff.gz
libpng_1.2.8rel-7.dsc
  to pool/main/libp/libpng/libpng_1.2.8rel-7.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 377298@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 Oct 2006 17:34:58 +1000
Source: libpng
Binary: libpng12-dev libpng12-0 libpng12-0-udeb libpng3
Architecture: source i386 all
Version: 1.2.8rel-7
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 356252 377298 378463 393109
Changes: 
 libpng (1.2.8rel-7) unstable; urgency=low
 .
   * New maintainer. Closes: #393109.
   * ACK NMUs. Closes: #378463, #377298, #356252.
   * debian/control:
     - set Standards-Version to 3.7.2.
     - set Priority to extra for libpng12-0-udeb.
     - added ${misc:Depends} to libpng12-0 and libpng12-0-udeb
       dependency lists.
   * Added debian/watch file.
Files: 
 b38c66c97edadcc58fdb5cb42fa3cef5 700 libs optional libpng_1.2.8rel-7.dsc
 dee626d9d29a5d678f25b7ff76e446fc 16517 libs optional libpng_1.2.8rel-7.diff.gz
 d36c73ff5c40ce33dfe82bad704705b5 874 oldlibs optional libpng3_1.2.8rel-7_all.deb
 4839089a435dc41e837cb30dcc6f0cf9 114820 libs optional libpng12-0_1.2.8rel-7_i386.deb
 024f27ea6235032769bae584dfc86c40 243100 libdevel optional libpng12-dev_1.2.8rel-7_i386.deb
 0203db8529775f092ca2d38f77f8997f 70226 debian-installer extra libpng12-0-udeb_1.2.8rel-7_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFM0dpipBneRiAKDwRArIGAJ9dAjVzYO/oaKhW+nA7cAATMefG/QCgjvjT
JUs699TlukAePl/bA660/2o=
=Hl7a
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.