Bug 873123 (CVE-2013-7354) - VUL-0: CVE-2013-7354: libpng: integer overflow leading to a heap-based buffer overflow in png_set_sPLT() and png_set_text_2()
Summary: VUL-0: CVE-2013-7354: libpng: integer overflow leading to a heap-based buffer...
Status: RESOLVED FIXED
Alias: CVE-2013-7354
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-05-12
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/97778/
Whiteboard: maint:released:sle11-sp1:57133 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-11 08:44 UTC by Alexander Bergmann
Modified: 2014-05-28 19:05 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Testcase. (932 bytes, text/plain)
2014-04-23 13:54 UTC, Petr Gajdos 		Details
Corrected testcase. (1.06 KB, text/x-csrc)
2014-04-23 15:15 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-11 08:44:28 UTC 
Via rh#1086516:

An integer overflow leading to a heap-based buffer overflow was found in the png_set_sPLT() and png_set_text_2() API functions of libpng. A attacker could create a specially-crafated image file and render it with an application written to explicitly call png_set_sPLT() or png_set_text_2() function, could cause libpng to crash or execute arbitrary code with the permissions of the user running such an application.

The vendor mentions that internal calls use safe values. These issues could potentially affect applications that use the libpng API. Apparently no such applications were identified.

CVE-2013-7354 was assigned to this issue.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1086516
http://sourceforge.net/p/libpng/bugs/199/
http://seclists.org/oss-sec/2014/q2/83
Comment 1 Swamp Workflow Management 2014-04-11 22:00:12 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2014-04-17 07:44:37 UTC 
Factory and 13.1 is not affected (ver > 1.6.0).
12.3 is affected (ver = 1.5.13).
libpng12 is not affected:
http://sourceforge.net/p/png-mng/mailman/message/32215052/
Comment 3 Petr Gajdos 2014-04-23 13:54:57 UTC 
Created attachment 587406 [details]
Testcase.

Testcase is very similar and path is very similar to issue outlined in bug 873124 (no big surprise).
Comment 4 Petr Gajdos 2014-04-23 13:56:44 UTC 
for libpng15 on i586:

$ gcc -o png_set -DSPLT_CHUNKS png_set.c -lpng
$ ./png_set
libpng warning: Out of memory while processing sPLT chunk
libpng warning: Out of memory while processing sPLT chunk
*** Error in `./png_set': free(): invalid pointer: 0x084a4020 ***
======= Backtrace: =========
/lib/libc.so.6(+0x76bc2)[0xf762dbc2]
/lib/libc.so.6(cfree+0x9b)[0xf76315fb]
/usr/lib/libpng15.so.15(png_free_default+0x29)[0xf7776cdf]
/usr/lib/libpng15.so.15(png_free+0x5c)[0xf7776cae]
/usr/lib/libpng15.so.15(png_set_sPLT+0x1da)[0xf778fe3c]
./png_set[0x804867a]
/lib/libc.so.6(__libc_start_main+0xf5)[0xf75d0825]
./png_set[0x8048501]
======= Memory map: ========
Aborted
Comment 5 Petr Gajdos 2014-04-23 13:59:01 UTC 
(In reply to comment #4)
> for libpng15 on i586:
> 
> $ gcc -o png_set -DSPLT_CHUNKS png_set.c -lpng
> $ ./png_set
> libpng warning: Out of memory while processing sPLT chunk
> libpng warning: Out of memory while processing sPLT chunk
> *** Error in `./png_set': free(): invalid pointer: 0x084a4020 ***
> ======= Backtrace: =========
> /lib/libc.so.6(+0x76bc2)[0xf762dbc2]
> /lib/libc.so.6(cfree+0x9b)[0xf76315fb]
> /usr/lib/libpng15.so.15(png_free_default+0x29)[0xf7776cdf]
> /usr/lib/libpng15.so.15(png_free+0x5c)[0xf7776cae]
> /usr/lib/libpng15.so.15(png_set_sPLT+0x1da)[0xf778fe3c]
> ./png_set[0x804867a]
> /lib/libc.so.6(__libc_start_main+0xf5)[0xf75d0825]
> ./png_set[0x8048501]
> ======= Memory map: ========
> Aborted

That's nonsense, sorry.
Comment 6 Petr Gajdos 2014-04-23 14:25:54 UTC 
for libpng15 on i586, png_set_sPLT case

$ gdb png_set
(gdb) b pngset.c:966
(gdb) r
Breakpoint 1, png_set_sPLT (png_ptr=0x804b008, info_ptr=0x804ef10, entries=0xffffd938, nentries=268435457) at pngset.c:966
966	   np = (png_sPLT_tp)png_malloc_warn(png_ptr,
(gdb) s
png_malloc_warn (png_ptr=0x804b008, size=16) at pngmem.c:624
624	{
(gdb) n
627	   if (png_ptr == NULL)
(gdb) 
630	   save_flags = png_ptr->flags;
(gdb) 
631	   png_ptr->flags|=PNG_FLAG_MALLOC_NULL_MEM_OK;
(gdb) 
632	   ptr = (png_voidp)png_malloc((png_structp)png_ptr, size);
(gdb) n 
633	   png_ptr->flags=save_flags;
(gdb) p ptr
$3 = (png_voidp) 0x804f008

Later, back in png_set_sPLT:
984	      png_sPLT_tp to = np + info_ptr->splt_palettes_num + i;
(gdb) n
985	      png_const_sPLT_tp from = entries + i;
(gdb) p to
$11 = (png_sPLT_tp) 0x804f008
[...]
84	      png_sPLT_tp to = np + info_ptr->splt_palettes_num + i;
(gdb) 
985	      png_const_sPLT_tp from = entries + i;
(gdb) p i 
$12 = 1
(gdb) p to
$13 = (png_sPLT_tp) 0x804f018
[...]
(gdb) 
989	      to->name = (png_charp)png_malloc_warn(png_ptr, length);

Program is writing into uninitialized memory at this point, if I understand correctly.
Comment 7 Petr Gajdos 2014-04-23 15:15:30 UTC 
Created attachment 587419 [details]
Corrected testcase.

comment 3 is still valid.

@@ -28,14 +28,18 @@ int main(void)
                          UINT_MAX/sizeof(png_unknown_chunk) + 1);
 #endif
 #ifdef SPLT_CHUNKS
-  png_sPLT_t sPLT_chunks[1];
+  png_sPLT_t sPLT_chunks[2];
   png_set_sPLT(png_ptr, info_ptr, sPLT_chunks,
                UINT_MAX/sizeof(png_sPLT_t) + 2);
 #endif
 #ifdef TEXT_CHUNKS
   png_text text_chunks[1];
+  text_chunks[0].compression = PNG_TEXT_COMPRESSION_NONE;
+  text_chunks[0].key = "key";
+  text_chunks[0].text = "bleble";
+  text_chunks[0].text_length = 6;
   png_set_text(png_ptr, info_ptr, text_chunks,
-               UINT_MAX/sizeof(png_text) + 1);
+               UINT_MAX/sizeof(png_text) - 7);
 #endif
   return 0;
 }
Comment 8 Petr Gajdos 2014-04-23 15:22:31 UTC 
(In reply to comment #7)
> Created an attachment (id=587419) [details]
> Corrected testcase.
> 
> comment 3 is still valid.

Sigh. I meant comment 6 is still valid. Actually, this gdb output is based on test case from comment 7 (SPLT_CHUNKS defined).
Comment 9 Petr Gajdos 2014-04-23 15:38:32 UTC 
Similarly for png_set_text_2() (test case from comment 7, TEXT_CHUNKS defined), libpng15, i586:

png_malloc_warn (png_ptr=0x804b008, size=24) at pngmem.c:624
624	{

and later on in png_set_text_2() is written whole png_text structure (sizeof(png_text) == 28) and more according to num_text.
Comment 10 Petr Gajdos 2014-04-23 17:00:39 UTC 
Both happens to me with libpng12@factory too. png_set_sPLT overflow with the same testcase, for png_set_text_2 overflow with slight change:

@@ -33,13 +33,17 @@ int main(void)
                UINT_MAX/sizeof(png_sPLT_t) + 2);
 #endif
 #ifdef TEXT_CHUNKS
-  png_text text_chunks[1];
+  png_text text_chunks[2];
   text_chunks[0].compression = PNG_TEXT_COMPRESSION_NONE;
   text_chunks[0].key = "key";
   text_chunks[0].text = "bleble";
   text_chunks[0].text_length = 6;
+  text_chunks[1].compression = PNG_TEXT_COMPRESSION_NONE;
+  text_chunks[1].key = "key2";
+  text_chunks[1].text = "bleble2";
+  text_chunks[1].text_length = 7;
   png_set_text(png_ptr, info_ptr, text_chunks,
-               UINT_MAX/sizeof(png_text) - 7);
+               UINT_MAX/sizeof(png_text) - 6);
 #endif
   return 0;
 }

That's because sizeof(png_text) = 16 in libpng12.

I've started to believe I had to overlook something.
Comment 11 Marcus Meissner 2014-04-24 12:40:06 UTC 
yeah, overflow here too:

although I wonder what values num_text could get, but if it is read as int from the PNG file and can be 32bit wide, it clearly is an issue.


         info_ptr->max_text = info_ptr->num_text + num_text + 8;

         old_text = info_ptr->text;

         info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
            (png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));

overflow herem as abiove info_ptr->max_text calculation is not limited
Comment 13 Petr Gajdos 2014-04-28 12:05:00 UTC 
num_text check submitted:
libpng12: 9sp3, 10sp3, 11, 12, 12.3, 13.1, factory
libpng15: 12.3

I am not convinced that overflow could really happen though. Imagine png file that would have so many text chunks.
Comment 15 SMASH SMASH 2014-04-28 15:05:16 UTC 
Affected packages:

SLE-9-SP3-TERADATA: libpng
SLE-10-SP3-TERADATA: libpng
SLE-11-SP3: libpng12-0
SLE-11-SP1: libpng12-0
Comment 16 Swamp Workflow Management 2014-04-28 15:08:54 UTC 
The SWAMPID for this issue is 57130.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-12.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 18 Swamp Workflow Management 2014-05-02 14:04:48 UTC 
openSUSE-SU-2014:0604-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 873123,873124
CVE References: CVE-2013-7353,CVE-2013-7354
Sources used:
openSUSE 11.4 (src):    libpng12-1.2.49-19.1
Comment 19 Swamp Workflow Management 2014-05-07 13:04:22 UTC 
openSUSE-SU-2014:0616-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 873123,873124
CVE References: CVE-2013-7353,CVE-2013-7354
Sources used:
openSUSE 12.3 (src):    libpng15-1.5.13-3.5.1
Comment 20 Swamp Workflow Management 2014-05-07 13:04:57 UTC 
openSUSE-SU-2014:0618-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 873123,873124
CVE References: CVE-2013-7353,CVE-2013-7354
Sources used:
openSUSE 13.1 (src):    libpng12-1.2.50-6.4.1
openSUSE 12.3 (src):    libpng12-1.2.50-3.6.1
Comment 21 Sebastian Krahmer 2014-05-27 13:28:24 UTC 
released
Comment 22 Swamp Workflow Management 2014-05-27 14:04:38 UTC 
Update released for: libpng, libpng-devel
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 23 Swamp Workflow Management 2014-05-27 14:05:03 UTC 
Update released for: libpng, libpng-debuginfo, libpng-devel
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2014-05-27 14:05:23 UTC 
Update released for: libpng-devel, libpng12-0, libpng12-0-debuginfo, libpng12-0-debugsource, libpng3
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 25 Swamp Workflow Management 2014-05-28 15:31:11 UTC 
Update released for: libpng-devel, libpng-devel-32bit, libpng-devel-64bit, libpng12-0, libpng12-0-32bit, libpng12-0-64bit, libpng12-0-debuginfo, libpng12-0-debuginfo-32bit, libpng12-0-debuginfo-64bit, libpng12-0-debuginfo-x86, libpng12-0-debugsource, libpng12-0-x86, libpng3
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 26 Swamp Workflow Management 2014-05-28 19:05:13 UTC 
SUSE-SU-2014:0724-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 873123,873124
CVE References: CVE-2013-7353,CVE-2013-7354
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libpng12-0-1.2.31-5.33.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libpng12-0-1.2.31-5.33.1
SUSE Linux Enterprise Server 11 SP3 (src):    libpng12-0-1.2.31-5.33.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libpng12-0-1.2.31-5.33.1