On Fri, Nov 10, 2006 at 08:42:49PM +1100, Anibal Monsalve Salazar wrote: >Package: libpng >Severity: grave >Version: 1.2.8rel-7 >Tags: security > >At http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 >it reads: > > Name: CVE-2006-3334 (under review) > Status: Candidate > Description: Buffer overflow in the png_decompress_chunk > function in pngrutil.c in libpng before 1.2.12 allows > context-dependent attackers to cause a denial of service > and possibly execute arbitrary code via unspecified vectors > related to "chunk error processing," possibly involving the > "chunk_name".
That was backported in #377298 which is already fixed. >At http://www.libpng.org/pub/png/libpng.html it reads: > > Versions up through 1.2.11 and 1.0.19 have a buffer-overrun > vulnerability when a particular error message is triggered. > The overrun is always by exactly two bytes ('k' and NULL) > so it seems highly unlikely that it could be used for > anything more nefarious than denial of service (e.g., > crashing your browser when you visit a site displaying a > specially crafted PNG). Nevertheless, it's worth fixing, > and versions libpng 1.2.12 and libpng 1.0.20, released 27 > June 2006, do just that. (Note that 1.2.11 and 1.0.19 > erroneously claimed to include the fix, but in fact it had > been inadvertently omitted.) Same here, it was backported in #377298 which is already fixed. > The same releases (and their immediate predecessors) also > fix an out-of-bounds (by one) memory read and a second > buffer overrun, this one in the code that writes the sCAL > chunk (which is rather rare in any case). That hasn't been fixed yet. Aníbal Monsalve Salazar -- http://v7w.com/anibal
signature.asc
Description: Digital signature
