Bug 866298 (CVE-2014-0333) - VUL-0: CVE-2014-0333: libpng16: denial of service (endless loop) in png_push_read_chunk
Summary: VUL-0: CVE-2014-0333: libpng16: denial of service (endless loop) in png_push_...
Status: RESOLVED FIXED
Alias: CVE-2014-0333
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96678/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-28 13:49 UTC by Marcus Meissner
Modified: 2014-03-12 14:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
extracted png (84 bytes, application/gzipped-tar)
2014-03-05 12:33 UTC, Petr Gajdos 		Details
Progressive png reading example. (5.38 KB, text/x-csrc)
2014-03-05 12:40 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-02-28 13:49:59 UTC 
via rh bugzilla, CVE-2014-0333

The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an ... 

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0333
https://sourceforge.net/projects/libpng/files/libpng16/patch-libpng16-vu684412.diff
ftp://ftp.simplesystems.org/pub/png/src/libpng16/patch-libpng16-vu684412.diff
https://bugzilla.redhat.com/show_bug.cgi?id=1070985
http://www.kb.cert.org/vuls/id/684412


I quickly checked libpng14 and it seems to set the flag correctly. (I cannot make full sense of it though)
Comment 1 Marcus Meissner 2014-02-28 13:52:12 UTC 
(SLE12, factory, 13.1 seem to have libpng16)
Comment 2 Swamp Workflow Management 2014-02-28 23:00:29 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-03-04 11:00:26 UTC 
This is an autogenerated message for OBS integration:
This bug (866298) was mentioned in
https://build.opensuse.org/request/show/224574 Factory / libpng16
Comment 5 Petr Gajdos 2014-03-05 12:27:28 UTC 
<html><head><title>crash test for bug #974825</title></head>
<body>
<img alt="Crash Test bug#974825" title="Crash Test bug#974825"
src="data:image/png;base64,
iVBORw0KGgoAAAANSUhEUgAAAEAAAAAgCAYAAACinX6EAAAAAElEQVRKVU5LdGhlIGp1TmtKVU5LCg=
=">
</body>
</html>

reproducer for firefox provided by Glenn.
Comment 6 Petr Gajdos 2014-03-05 12:33:48 UTC 
Created attachment 581008 [details]
extracted png

note

...@^@^@IDATJUNKthe juNkJUNK
Comment 7 Petr Gajdos 2014-03-05 12:40:39 UTC 
Created attachment 581009 [details]
Progressive png reading example.

compile with e. g. 

$ gcc -D LIBPNG15 -o progrpng progrpng.c -lpng15

Source:
http://stackoverflow.com/questions/10437798/libpng-error-not-a-png-file-png-process-data
Comment 8 Petr Gajdos 2014-03-05 12:48:14 UTC 
Tested with -DLIBPNG12, -DLIBPNG15 and -DLIBPNG16.
Only libpng16 suffers.

$ gcc -D LIBPNG16 -o progrpng progrpng.c -lpng16
$ ./progrpng zero-idat.png
[infinity loop, 100% CPU usage]

$ gcc -D LIBPNG12 -o progrpng progrpng.c -lpng12
$ ./progrpng zero-idat.png
Reading PNG File zero-idat.png
info_callback
width: 64height: 32bit_depth: 8color_type: 6interlace_type: 0compression_type: 0filter_type: 0channles: 4rowbytes: 256signature: PNG

error: IDAT: CRC error
$
Comment 9 Marcus Meissner 2014-03-05 14:07:45 UTC 
thanks for cross checking! :)
Comment 10 Marcus Meissner 2014-03-12 13:49:40 UTC 
released
Comment 11 Swamp Workflow Management 2014-03-12 14:04:22 UTC 
openSUSE-SU-2014:0358-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 866298
CVE References: CVE-2014-0333
Sources used:
openSUSE 13.1 (src):    libpng16-1.6.6-12.1