Debian Bug report logs -
#501109
CVE-2008-3964: off-by-one error in pngtest.c
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 4 Oct 2008 08:09:01 UTC
Severity: important
Tags: patch, security
Fixed in version libpng/1.2.27-2
Done: Anibal Monsalve Salazar <anibal@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#501109; Package libpng.
(Sat, 04 Oct 2008 08:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Sat, 04 Oct 2008 08:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpng
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpng.
CVE-2008-3964[0]:
| Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4
| before 1.4.0beta34, allow context-dependent attackers to cause a
| denial of service (crash) or have unspecified other impact via a PNG
| image with crafted zTXt chunks, related to (1) the png_push_read_zTXt
| function in pngread.c, and possibly related to (2) pngtest.c.
As discussed via private email before, the patch is:
-#define PNG_tIME_STRING_LENGTH 30
+#define PNG_tIME_STRING_LENGTH 29
Please ask for a freeze exception for lenny.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964
http://security-tracker.debian.net/tracker/CVE-2008-3964
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#501109; Package libpng.
(Sat, 04 Oct 2008 09:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Aníbal Monsalve Salazar <anibal@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Sat, 04 Oct 2008 09:48:02 GMT) (full text, mbox, link).
Message #10 received at 501109@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Oct 04, 2008 at 06:02:55PM +1000, Steffen Joeris wrote:
>Package: libpng
>Severity: important
>Tags: security, patch
>
>Hi,
>the following CVE (Common Vulnerabilities & Exposures) id was
>published for libpng.
>
>CVE-2008-3964[0]:
>| Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4
>| before 1.4.0beta34, allow context-dependent attackers to cause a
>| denial of service (crash) or have unspecified other impact via a PNG
>| image with crafted zTXt chunks, related to (1) the png_push_read_zTXt
>| function in pngread.c, and possibly related to (2) pngtest.c.
>
>As discussed via private email before, the patch is:
>
>-#define PNG_tIME_STRING_LENGTH 30
>+#define PNG_tIME_STRING_LENGTH 29
>
>Please ask for a freeze exception for lenny.
>
>If you fix the vulnerability please also make sure to include the
>CVE id in your changelog entry.
>
>Cheers
>Steffen
>
>For further information see:
>
>[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964
> http://security-tracker.debian.net/tracker/CVE-2008-3964
See also further information at the following link:
http://sourceforge.net/mailarchive/forum.php?thread_name=092320081007.7752.48D8BFCF0006F51D00001E4822070009539F9D02020A0409%40comcast.net&forum_name=png-mng-implement
>Re: [png-mng-implement] off-by-one error(s) in libpng
>From: <glennrp@co...> - 2008-09-23 10:07
>-------------- Original message ----------------------
>From: "Glenn Randers-Pehrson" <glennrp@gm...>
>>On Tue, Sep 9, 2008 at 9:47 AM, Steffen Joeris
>><steffen.joeris@sk...> wrote:
>>>Hi
>>>
>>>(Since my email to glennrp@l.s.n. bounces, I am sending it to the
>>>list :) ).
>>>
>>>I am trying to check libpng in debian.
>>>I've read this announcement[0] and believe that the fix for
>>>pngpread.c is
>>>included in the current lenny version in debian, so I guess it must
>>>have been
>>>introduced after 1.2.27. However, I am trying to determine the patch
>>>for
>>>pngtest.c. Is it just this line:
>>>
>>>-#define PNG_tIME_STRING_LENGTH 30
>>>+#define PNG_tIME_STRING_LENGTH 29
>>
>>Yes, that's it.
>
>Oops-la, there's also this, to make the string actually fit in 29 bytes:
>
>-static char tIME_string[PNG_tIME_STRING_LENGTH] = "no tIME chunk present in file";
>+static char tIME_string[PNG_tIME_STRING_LENGTH] = "tIME chunk is not present";
>
>Glenn
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility.
(Sat, 04 Oct 2008 12:03:04 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Sat, 04 Oct 2008 12:03:04 GMT) (full text, mbox, link).
Message #15 received at 501109-close@bugs.debian.org (full text, mbox, reply):
Source: libpng
Source-Version: 1.2.27-2
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:
libpng12-0-udeb_1.2.27-2_amd64.udeb
to pool/main/libp/libpng/libpng12-0-udeb_1.2.27-2_amd64.udeb
libpng12-0_1.2.27-2_amd64.deb
to pool/main/libp/libpng/libpng12-0_1.2.27-2_amd64.deb
libpng12-dev_1.2.27-2_amd64.deb
to pool/main/libp/libpng/libpng12-dev_1.2.27-2_amd64.deb
libpng3_1.2.27-2_all.deb
to pool/main/libp/libpng/libpng3_1.2.27-2_all.deb
libpng_1.2.27-2.diff.gz
to pool/main/libp/libpng/libpng_1.2.27-2.diff.gz
libpng_1.2.27-2.dsc
to pool/main/libp/libpng/libpng_1.2.27-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 501109@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 04 Oct 2008 19:45:17 +1000
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source amd64 all
Version: 1.2.27-2
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Closes: 501109
Changes:
libpng (1.2.27-2) unstable; urgency=medium
.
* Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109
* Standards-Version is 3.8.0
Checksums-Sha1:
eb9fe297c6883cdbebb676da9168a42ffc68da65 1172 libpng_1.2.27-2.dsc
516dbe2a0c0f61ad2de793cca06f9c0b42cb9eaa 14999 libpng_1.2.27-2.diff.gz
b72c36d108ffe94f06e8ab08ef18b1fc072bdb79 167024 libpng12-0_1.2.27-2_amd64.deb
299e28850b0f68379d7fc5b35e6a2a32660e3d23 254012 libpng12-dev_1.2.27-2_amd64.deb
5a36163fd959cf2ac5d369cecfb5759b0dda6af5 880 libpng3_1.2.27-2_all.deb
1385228795e8d957493673495aa78431f564b30e 71918 libpng12-0-udeb_1.2.27-2_amd64.udeb
Checksums-Sha256:
72e21cf1acac13f341456fba3a19005330e90bf5e4db4fb84f65259f0acb22c8 1172 libpng_1.2.27-2.dsc
6a814a213f157beddd848b685208ca7ff6c02331aac719be6a3f5ff9355e0832 14999 libpng_1.2.27-2.diff.gz
a8d236bd2cfec19717e942a92a9902600c85ef32e638ffc15a52826ba5b721a8 167024 libpng12-0_1.2.27-2_amd64.deb
0eef26df84caa318d3d4d2cc2cd8f95963f4eb6165567e51481cbbf1ac1c794d 254012 libpng12-dev_1.2.27-2_amd64.deb
121f0bc68fbf20dca44dbd0460306e3a09bbbe071d30808e03729dd53d775287 880 libpng3_1.2.27-2_all.deb
91a31e687666243c7cdfd2187ddecd5778caddf85ca4d368774b685ef61cb039 71918 libpng12-0-udeb_1.2.27-2_amd64.udeb
Files:
0bf70ee63ab45cfd09c2d8e6123813c0 1172 libs optional libpng_1.2.27-2.dsc
93c2b35449fe63357e58b87a419e2fe0 14999 libs optional libpng_1.2.27-2.diff.gz
a0a24dd6355faa0d6badacb30b2e7969 167024 libs optional libpng12-0_1.2.27-2_amd64.deb
4b783a7caf48da1476366b98531539cf 254012 libdevel optional libpng12-dev_1.2.27-2_amd64.deb
0ebb829ed3e5f350133814b10c28ec04 880 oldlibs optional libpng3_1.2.27-2_all.deb
7badaf29e2f1fa076bd5ac484e28c98a 71918 debian-installer extra libpng12-0-udeb_1.2.27-2_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjnU6cACgkQgY5NIXPNpFW2lgCeJoOjgL6O4OQnayt9HquTdLwD
Ny0An3oWmfza7aAiY9T7zASs0KbqYyaM
=67Z7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 08 Nov 2008 07:26:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:06:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon