Bug#377298: marked as done (libpng: CVE-2006-3334: DoS/buffer overflow to code execution)
Your message dated Mon, 16 Oct 2006 02:05:44 -0700
with message-id <E1GZOPo-0008Dd-Js@spohr.debian.org>
and subject line Bug#377298: fixed in libpng 1.2.8rel-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libpng: CVE-2006-3334: DoS/buffer overflow to code execution
- From: Alec Berryman <alec@thened.net>
- Date: Fri, 07 Jul 2006 22:41:56 -0400
- Message-id: <20060708024156.14462.5383.reportbug@barry.bowdoin.edu>
Package: libpng
Version: 1.2.8rel-5.1 1.0.18-1 1.0.12-3.woody.9
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3334: "Buffer overflow in the png_decompress_chunk function in
pngrutil.c in libpng before 1.2.12 allows context-dependent attackers
to cause a denial of service and possibly execute arbitrary code via
unspecified vectors related to "chunk error processing," possibly
involving the "chunk_name"."
This was announced by upstream and fixed in 1.2.12 and 10.0.20. The
versions in Sarge and Woody are vulnerable. I have not seen a sample
exploit.
Attached is a patch that applies to all the sarge and woody versions
with a bit of offset. I couldn't find a public version control system,
so I created this patch from a diff between 1.0.19 and 1.0.20; it's the
same diff as from 1.2.11 to 1.2.12. If you wade through all the version
changes, the only file touched is pngrutil.c.
Please mention the CVE in your changelog.
Thanks,
Alec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFErxt0Aud/2YgchcQRAtGAAJ9BzbLTRtgoTvXDlMpkq0PY8QusCgCeJqAy
iAio7/ZrXhcIZN45XnWnJag=
=tG1l
-----END PGP SIGNATURE-----
diff -u libpng-1.0.19/pngrutil.c libpng-1.0.20/pngrutil.c
--- libpng-1.0.19/pngrutil.c 2006-06-26 08:43:13.000000000 -0400
+++ libpng-1.0.20/pngrutil.c 2006-06-27 16:20:49.000000000 -0400
@@ -276,7 +276,7 @@
if (ret != Z_STREAM_END)
{
#if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE)
- char umsg[50];
+ char umsg[52];
if (ret == Z_BUF_ERROR)
sprintf(umsg,"Buffer error in compressed datastream in %s chunk",
--- End Message ---
--- Begin Message ---
Source: libpng
Source-Version: 1.2.8rel-7
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive:
libpng12-0-udeb_1.2.8rel-7_i386.udeb
to pool/main/libp/libpng/libpng12-0-udeb_1.2.8rel-7_i386.udeb
libpng12-0_1.2.8rel-7_i386.deb
to pool/main/libp/libpng/libpng12-0_1.2.8rel-7_i386.deb
libpng12-dev_1.2.8rel-7_i386.deb
to pool/main/libp/libpng/libpng12-dev_1.2.8rel-7_i386.deb
libpng3_1.2.8rel-7_all.deb
to pool/main/libp/libpng/libpng3_1.2.8rel-7_all.deb
libpng_1.2.8rel-7.diff.gz
to pool/main/libp/libpng/libpng_1.2.8rel-7.diff.gz
libpng_1.2.8rel-7.dsc
to pool/main/libp/libpng/libpng_1.2.8rel-7.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 377298@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 Oct 2006 17:34:58 +1000
Source: libpng
Binary: libpng12-dev libpng12-0 libpng12-0-udeb libpng3
Architecture: source i386 all
Version: 1.2.8rel-7
Distribution: unstable
Urgency: low
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Closes: 356252 377298 378463 393109
Changes:
libpng (1.2.8rel-7) unstable; urgency=low
.
* New maintainer. Closes: #393109.
* ACK NMUs. Closes: #378463, #377298, #356252.
* debian/control:
- set Standards-Version to 3.7.2.
- set Priority to extra for libpng12-0-udeb.
- added ${misc:Depends} to libpng12-0 and libpng12-0-udeb
dependency lists.
* Added debian/watch file.
Files:
b38c66c97edadcc58fdb5cb42fa3cef5 700 libs optional libpng_1.2.8rel-7.dsc
dee626d9d29a5d678f25b7ff76e446fc 16517 libs optional libpng_1.2.8rel-7.diff.gz
d36c73ff5c40ce33dfe82bad704705b5 874 oldlibs optional libpng3_1.2.8rel-7_all.deb
4839089a435dc41e837cb30dcc6f0cf9 114820 libs optional libpng12-0_1.2.8rel-7_i386.deb
024f27ea6235032769bae584dfc86c40 243100 libdevel optional libpng12-dev_1.2.8rel-7_i386.deb
0203db8529775f092ca2d38f77f8997f 70226 debian-installer extra libpng12-0-udeb_1.2.8rel-7_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFM0dpipBneRiAKDwRArIGAJ9dAjVzYO/oaKhW+nA7cAATMefG/QCgjvjT
JUs699TlukAePl/bA660/2o=
=Hl7a
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: