Arbitrary code execution in libpng

Matthias B. msbREMOVE-THIS at winterdrache.de
Wed Aug 4 11:23:28 PDT 2004


libpng up to and including 1.2.5 contains several security
vulnerabilities, at least one of which could potentially allow an attacker
to create a PNG file that executes arbitrary code on the machine where it
is viewed. The other vulnerabilities can at least cause the viewing
application to crash (proof of concept PNG-of-death files are available).
As web browsers and some mail programs display PNG files using libpng, it
can be expected that worms will be written to use this vulnerability. 
I wouldn't be surprised to see the first such worm appear within the next
48h.

BLFS (stable, not just CVS) should be updated IMMEDIATELY to either
include the patches against 1.2.5 that are available or to use version
1.2.6rc1 (which is the most current as of this writing).

LFS users should download and install the new libpng ASAP. Packages that
use libpng may or may not have to be recompiled depending on whether they
are statically or dynamically linked.

Patches and libpng-1.2.6rc1 are available at:

ftp://swrinde.nde.swri.edu/pub/png/src/

and

http://sourceforge.net/project/showfiles.php?group_id=5624

Note that the libpng homepage at

http://www.libpng.org/pub/png/libpng.html

does NOT have 1.2.6rc1 or the patches as of this writing, only some older
security patches. It will hopefully be updated within the next 24h.

Following are the release announcement for 1.2.6rc1 and excerpts from
security announcements of OpenPKG and SuSE

MSB

------------------------------------
Begin forwarded message:

Date: Wed, 04 Aug 2004 11:33:35 -0400
From: Glenn Randers-Pehrson <glennrp at comcast.net>
To: png-implement at ccrc.wustl.edu
Subject: [png-announce] libpng-1.2.6rc1 and libpng-1.0.16rc1


[bcc to png-list and png-announce.  Please reply to png-implement only]

I have released libpng-1.2.6rc1 and libpng-1.0.16rc1
Get them at http://libpng.sourceforge.net in the [DOWNLOAD]
area, "libpng" package, or from ftp://swrinde.nde.swri.edu/pub/png/src/

This fixes some vulnerabilities that have just been (or are just about
to be) disclosed.

I have also released a complete patch set for patching older versions
of libpng, back to version 0.89c.

Greg, please copy whatever you need over to the libpng page.

Glenn
-----------------------------


Begin forwarded message:

Date: Wed, 4 Aug 2004 17:12:21 +0200
From: OpenPKG <openpkg at openpkg.org>
To: full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] [OpenPKG-SA-2004.035] OpenPKG Security Advisory
(png)

[...]

_______________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security at openpkg.org                         openpkg at openpkg.org
OpenPKG-SA-2004.035                                          04-Aug-2004
________________________________________________________________________

Package:             png
Vulnerability:       arbitrary code execution
OpenPKG Specific:    no

[...]

Description:
  During a source code audit, Chris Evans discovered several problems in
  the Portable Network Graphics (PNG) library libpng [1], some of which
  are security relevant. This OpenPKG update fixes all known issues.

  A stack-based buffer overflow in libpng which can be triggered to run
  arbitrary code by a malicious png file. The Common Vulnerabilities
  and Exposures (CVE) project assigned the id CAN-2004-0597 [2] to the
  problem.

  A NULL-pointer crash in libpng which can be triggered by a malicious
  png file. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2004-0598 [3] to the problem.

  Various possible integer overflows in libpng which may have security
  consequences. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2004-0599 [4] to the problem.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q png". If you have the "png" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) and its dependent packages (see above), if any, too
  [5][6].


[...]

[!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!]

  Additionally, we recommend that you rebuild and reinstall
  all dependent packages (see above), if any, too [5][6].

[!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!]


References:
  [1] http://www.libpng.org/pub/png/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
  [5] http://www.openpkg.org/tutorial.html#regular-source
  [6] http://www.openpkg.org/tutorial.html#regular-binary
  [7] ftp://ftp.openpkg.org/release/2.1/UPD/png-1.2.5-2.1.1.src.rpm
  [8] ftp://ftp.openpkg.org/release/2.0/UPD/png-1.2.5-2.0.3.src.rpm
  [9] ftp://ftp.openpkg.org/release/2.1/UPD/
  [10] ftp://ftp.openpkg.org/release/2.0/UPD/
  [11] http://www.openpkg.org/security.html#signature


--------------------------------------------------------



Begin forwarded message:

Date: Wed, 04 Aug 2004 17:12:26 +0200
From: Thomas Biege <thomas at suse.de>
To: full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] SUSE Security Announcement: libpng
(SUSE-SA:2004:023)

[...]

        Package:                libpng
        Announcement-ID:        SUSE-SA:2004:023
        Date:                   Wednesday, Aug 4th 2004 16:00 MEST
[...]
        Vulnerability Type:     remote system compromise
        Severity (1-10):        9
        SUSE default package:   yes
        Cross References:       VU#388984
                                VU#236656
                                VU#160448
                                VU#477512
                                VU#817368
                                VU#286464
                                CAN-2004-0597
                                CAN-2004-0598
                                CAN-2004-0599

[...]

1) problem description, brief discussion

    Several different security vulnerabilities were found in the PNG
    library which is used by applications to support the PNG image format.

    A remote attacker is able to execute arbitrary code by triggering a
    buffer overflow due to the incorrect handling of the length of
    transparency chunk data and in other pathes of image processing.
    (VU#388984, VU#817368, CAN-2004-0597)
    A special PNG image can be used to cause an application crashing due
    to NULL pointer dereference in the function png_handle_iCPP() (and
    other locations). (VU#236656, CAN-2004-0598)
    Integer overflows were found in png_handle_sPLT(), png_read_png()
    functions and other locations. These bugs may at least crash an
    application. (VU#160448, VU#477512, VU#286464, CAN-2004-0599)

    Many thanks to Chris Evans who reported issues to us and other
vendors.


3) special instructions and notes

    Various applications use libpng either dynamically linked, statically
    linked, or by linking a copy of libpng included in the application's
    source distribution.
    In the first case you have to restart the affected application.
    In the other cases we will release updates for these packages if the
    vulnerable libpng code is called with input from an untrusted source.

[...]




More information about the lfs-security mailing list