Bugzilla – Bug 873124
VUL-0: CVE-2013-7353: libpng: integer overflow leading to a heap-based buffer overflow in png_set_unknown_chunks()
Last modified: 2014-05-28 19:05:25 UTC
Via rh#1086514: An integer overflow leading to a heap-based buffer overflow was found in the png_set_unknown_chunks() API function of libpng. A attacker could create a specially-crafated image file and render it with an application written to explicitly call png_set_unknown_chunks() function, could cause libpng to crash or execute arbitrary code with the permissions of the user running such an application. The vendor mentions that internal calls use safe values. These issues could potentially affect applications that use the libpng API. Apparently no such applications were identified. CVE-2013-7353 was assigned to this issue. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1086514 http://sourceforge.net/p/libpng/bugs/199/ http://seclists.org/oss-sec/2014/q2/83
bugbot adjusting priority
Factory and 13.1 is not affected (ver > 1.6.0). 12.3 is affected (ver = 1.5.13). libpng12 is not affected: http://sourceforge.net/p/png-mng/mailman/message/32215052/
Created attachment 586840 [details] Testcase. on 32-bit: $ gcc -o png_set png_set.c -lpng $ gdb png_set (gdb) b pngset.c:1036 Breakpoint 2, png_set_unknown_chunks (png_ptr=0x804b008, info_ptr=0x804ef10, unknowns=0xffffd914, num_unknowns=214748365) at pngset.c:1036 1036 np = (png_unknown_chunkp)png_malloc_warn(png_ptr, (gdb) s png_malloc_warn (png_ptr=0x804b008, size=4) at pngmem.c:624 624 { [..] 632 ptr = (png_voidp)png_malloc((png_structp)png_ptr, size); (gdb) p ptr $3 = (png_voidp) 0x804f008 Later on back in png_set_unknown_chunks: 1056 png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; (gdb) p to $7 = (png_unknown_chunkp) 0x804f008 and 1059 png_memcpy(to->name, from->name, png_sizeof(from->name)); 1060 to->name[png_sizeof(to->name)-1] = '\0'; 1061 to->size = from->size; 1062 1063 /* Note our location in the read or write sequence */ 1064 to->location = (png_byte)(png_ptr->mode & 0xff);
Marcus, similar works (= overflow and seems to also write behind allocated fragment) for me for 1.2.51@factory. Could you please confirm? That would contradict upstream statement from comment 2.
sorry for the delay. It is quite obvious the overflow is in libpng12 too. openSUSE:Factory/libpng12/libpng-1.2.51/pngset.c: np = (png_unknown_chunkp)png_malloc_warn(png_ptr, (png_uint_32)((info_ptr->unknown_chunks_num + num_unknowns) * png_sizeof(png_unknown_chunk))); this overflows 32bit via the testcase. png_memcpy(np, info_ptr->unknown_chunks, info_ptr->unknown_chunks_num * png_sizeof(png_unknown_chunk)); same overflow. and then it writes into unallocated memory space. That the testcase segfaults is a good indicator.
num_text check submitted: libpng12: 9sp3, 10sp3, 11, 12, 12.3, 13.1, factory libpng15: 12.3 I am not convinced that overflow could really happen though. Try create png file that would have so many unknown chunks.
The SWAMPID for this issue is 57130. This issue was rated as moderate. Please submit fixed packages until 2014-05-12. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
openSUSE-SU-2014:0604-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 873123,873124 CVE References: CVE-2013-7353,CVE-2013-7354 Sources used: openSUSE 11.4 (src): libpng12-1.2.49-19.1
openSUSE-SU-2014:0616-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 873123,873124 CVE References: CVE-2013-7353,CVE-2013-7354 Sources used: openSUSE 12.3 (src): libpng15-1.5.13-3.5.1
openSUSE-SU-2014:0618-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 873123,873124 CVE References: CVE-2013-7353,CVE-2013-7354 Sources used: openSUSE 13.1 (src): libpng12-1.2.50-6.4.1 openSUSE 12.3 (src): libpng12-1.2.50-3.6.1
released
Update released for: libpng, libpng-devel Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: libpng, libpng-debuginfo, libpng-devel Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: libpng-devel, libpng12-0, libpng12-0-debuginfo, libpng12-0-debugsource, libpng3 Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: libpng-devel, libpng-devel-32bit, libpng-devel-64bit, libpng12-0, libpng12-0-32bit, libpng12-0-64bit, libpng12-0-debuginfo, libpng12-0-debuginfo-32bit, libpng12-0-debuginfo-64bit, libpng12-0-debuginfo-x86, libpng12-0-debugsource, libpng12-0-x86, libpng3 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0724-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 873123,873124 CVE References: CVE-2013-7353,CVE-2013-7354 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libpng12-0-1.2.31-5.33.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): libpng12-0-1.2.31-5.33.1 SUSE Linux Enterprise Server 11 SP3 (src): libpng12-0-1.2.31-5.33.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libpng12-0-1.2.31-5.33.1