Opened 8 years ago

Closed 8 years ago

#7297 closed enhancement (fixed)

libpng-1.6.20

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.9
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

Security Release

http://sourceforge.net/p/png-mng/mailman/message/34667265/

These are security releases The fix for CVE-8126 was incomplete in the previous versions.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126 

Vulnerability Summary for CVE-2015-8126
Original release date: 11/12/2015
Last revised: 11/12/2015
Source: US-CERT/NIST

This vulnerability is currently undergoing analysis and not all
information is available.

Please check back soon to view the completed vulnerability summary.

Overview

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE
functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x
and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.20
allow remote attackers to cause a denial of service (application crash)
or possibly have unspecified other impact via a small bit-depth value in
an IHDR (aka image header) chunk in a PNG image.

There is a regression in test suite (see at the end, below).

http://downloads.sourceforge.net/libpng/libpng-1.6.20.tar.xz

http://downloads.sourceforge.net/libpng/libpng-1.6.20.tar.xz.asc

http://downloads.sourceforge.net/libpng-apng/libpng-1.6.20-apng.patch.gz

http://sourceforge.net/p/png-mng/mailman/message/34667265/ 

[png-mng-implement] libpng-1.6.20, 1.5.25, 1.4.18, 1.2.55, and 1.0.65 are available
From: Glenn Randers-Pehrson <glennrp@gm...> - 2015-12-03 14:21:33
Attachments: Message as HTML    

libpng-1.6.20, 1.5.25, 1.4.18, 1.2.55, and 1.0.65 are available from
ftp://ftp.simplesystems.org/pub/png/src/
and from
http://libpng.sf.net

These are security releases  The fix for CVE-8126 was incomplete in the
previous versions.

Glenn Randers-Pehrson
libpng custodian


...

Changes since the last public release (1.6.19):
 • Avoid potential pointer overflow/underflow in png_handle_sPLT() and
   png_handle_pCAL() (Bug report by John Regehr).
 • Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
   not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
   vulnerability.
 • Backported tests from libpng-1.7.0beta69.
 • Fixed an error in handling of bad zlib CMINFO field in pngfix, found
   by American Fuzzy Lop, reported by Brian Carpenter.  inflate()
   doesn't immediately fault a bad CMINFO field; instead a 'too far
   back' error happens later (at least some times).  pngfix failed to
   limit CMINFO to the allowed values but then assumed that window_bits
   was in range, triggering an assert. The bug is mostly harmless; the
   PNG file cannot be fixed.
 • In libpng 1.6 zlib initialization was changed to use the window size
   in the zlib stream, not a fixed value. This causes some invalid
   images, where CINFO is too large, to display 'correctly' if the rest
   of the data is valid.  This provides a workaround for zlib versions
   where the error arises (ones that support the API change to use the
   window size in the stream).

http://downloads.sourceforge.net/libpng/libpng-1.6.20-README.txt 

Libpng 1.6.20 - December 3, 2015

This is a public release of libpng, intended for use in production codes.


Changes since the last public release (1.6.19):
 • Avoid potential pointer overflow/underflow in png_handle_sPLT() and
   png_handle_pCAL() (Bug report by John Regehr).
 • Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
   not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
   vulnerability.
 • Backported tests from libpng-1.7.0beta69.
 • Fixed an error in handling of bad zlib CMINFO field in pngfix, found
   by American Fuzzy Lop, reported by Brian Carpenter.  inflate()
   doesn't immediately fault a bad CMINFO field; instead a 'too far
   back' error happens later (at least some times).  pngfix failed to
   limit CMINFO to the allowed values but then assumed that window_bits
   was in range, triggering an assert. The bug is mostly harmless; the
   PNG file cannot be fixed.
 • In libpng 1.6 zlib initialization was changed to use the window size
   in the zlib stream, not a fixed value. This causes some invalid
   images, where CINFO is too large, to display 'correctly' if the rest
   of the data is valid.  This provides a workaround for zlib versions
   where the error arises (ones that support the API change to use the
   window size in the stream).

Glenn R-P

http://downloads.sourceforge.net/libpng-apng/libpng-1.6.20-apng.patch.README.txt 

Updated to libpng-1.6.20 codebase

http://sourceforge.net/p/png-mng/mailman/message/34680313/ 

[png-mng-implement] Test regression between 1.6.19 and 1.6.20 on sparc64
From: Antoine Brodin <antoine@FreeBSD.org> - 2015-12-08 07:26:09

Hi,

We see a regression between version 1.6.19 and version 1.6.20 on
FreeBSD/Sparc64 (big endian):

With version 1.6.19 all tests were succeeding.
With version 1.6.20:

============================================================================
Testsuite summary for libpng 1.6.20
============================================================================
# TOTAL: 32
# PASS:  31
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

FAIL: tests/pngvalid-transform
==============================

pngvalid: read: truecolour with alpha 8 bit: transform:
+rgb_to_gray^0.34483[overridden]: rgb_to_gray error 0.166824 exceeds
limit 0.165976
pngvalid: 1 errors, 0 warnings
FAIL: pngvalid --strict --transform (floating point arithmetic)
FAIL tests/pngvalid-transform (exit status: 1)

Cheers,

Antoine

Change History (3)

comment:1 by Fernando de Oliveira, 8 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 8 years ago

No test regression, here.

comment:3 by Fernando de Oliveira, 8 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r16771.

Note: See TracTickets for help on using tickets.