Bugzilla – Bug 747311
VUL-0: CVE-2011-3026: libpng: Heap-buffer-overflow in png_decompress_chunk
Last modified: 2013-08-05 13:56:01 UTC
A heap-based buffer overflow was found in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. Reference: http://googlechromereleases.blogspot.in/2012/02/chrome-stable-update.html https://code.google.com/p/chromium/issues/detail?id=112822
Created attachment 476447 [details] -- 1.9.x patch
The SWAMPID for this issue is 45549. This issue was rated as important. Please submit fixed packages until 2012-02-23. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
(In reply to comment #2) > The SWAMPID for this issue is 45549. > This issue was rated as important. > Please submit fixed packages until 2012-02-23. Stuck with php. This deadline will not be met.
NEEDINFO not intended.
This is an autogenerated message for OBS integration: This bug (747311) was mentioned in https://build.opensuse.org/request/show/105993 Factory / libpng12 https://build.opensuse.org/request/show/105994 Factory / libpng14 https://build.opensuse.org/request/show/105995 Factory / libpng15
Fixed Factory, 12.1 and 11.4/libpng12 by update. Fixed 11.4/libpng14 by patch based on patch from upstream: ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng-1.5.9-1.5.8-diff.txt
(In reply to comment #6) > Fixed Factory, 12.1 and 11.4/libpng12 by update. * version update.
This is an autogenerated message for OBS integration: This bug (747311) was mentioned in https://build.opensuse.org/request/show/106021 11.4 / libpng14 https://build.opensuse.org/request/show/106022 11.4 / libpng12 https://build.opensuse.org/request/show/106024 12.1 / libpng12 https://build.opensuse.org/request/show/106025 12.1 / libpng14
For SLESes I have used: --- pngrutil.c.orig +++ pngrutil.c @@ -326,22 +326,24 @@ png_decompress_chunk(png_structp png_ptr chunklength - prefix_size, 0/*output*/, 0/*output size*/); + if (prefix_size >= (~(png_size_t)0) - 1 || + expanded_size >= (~(png_size_t)0) - 1 - prefix_size #ifdef PNG_USER_CHUNK_MALLOC_MAX /* Now check the limits on this chunk - if the limit fails the * compressed data will be removed, the prefix will remain. */ - if ((PNG_USER_CHUNK_MALLOC_MAX > 0) && + || ((PNG_USER_CHUNK_MALLOC_MAX > 0) && prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) - png_warning(png_ptr, "Exceeded size limit while expanding chunk"); - else #endif + ) + png_warning(png_ptr, "Exceeded size limit while expanding chunk"); /* If the size is zero either there was an error and a message * has already been output (warning) or the size really is zero * and we have nothing to do - the code will exit through the * error case below. */ - if (expanded_size > 0) + else if (expanded_size > 0) { /* Success (maybe) - really uncompress the chunk. */ png_size_t new_size = 0;
11sp1: 17821 10sp4: 17822 9sp4: 17823
(In reply to comment #3) > > Please submit fixed packages until 2012-02-23. > > Stuck with php. This deadline will not be met. Done unexpectedly sooner.
Update released for: libpng12, libpng12-0, libpng12-0-debuginfo, libpng12-0-debuginfo-32bit, libpng12-0-debuginfo-x86, libpng12-compat-devel, libpng12-debugsource, libpng12-devel Products: openSUSE 11.4 (debug, i586, x86_64)
Update released for: libpng14, libpng14-14, libpng14-14-debuginfo, libpng14-compat-devel, libpng14-debugsource, libpng14-devel Products: openSUSE 11.4 (debug, i586, x86_64)
Update released for: libpng, libpng-32bit, libpng-debuginfo, libpng-devel, libpng-devel-32bit Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: libpng, libpng-devel Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: libpng, libpng-32bit, libpng-64bit, libpng-debuginfo, libpng-devel, libpng-devel-32bit, libpng-devel-64bit, libpng-x86 Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: libpng-devel, libpng-devel-32bit, libpng12-0, libpng12-0-32bit, libpng12-0-debuginfo, libpng12-0-debuginfo-32bit, libpng12-0-debuginfo-64bit, libpng12-0-debuginfo-x86, libpng12-0-debugsource, libpng12-0-x86, libpng3 Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
released