Bug#512665: libpng: proposed NMU to fix CVE-2008-5907 and CVE-2009-0040 in lenny

Giuseppe Iuculano Sat, 14 Mar 2009 14:05:22 -0700

Hi,

I've prepared a NMU to fix CVE-2008-5907 and CVE-2009-0040 in libpng.



Proposed debdiff in attachment.

Cheers,
Giuseppe.

diff -u libpng-1.2.27/debian/changelog libpng-1.2.27/debian/changelog
--- libpng-1.2.27/debian/changelog
+++ libpng-1.2.27/debian/changelog
@@ -1,3 +1,13 @@
+libpng (1.2.27-2lenny1) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/03-CVE-2008-5907.diff: update pngwutil.c to properly set
+    new_key to NULL string. (CVE-2008-5907) (Closes: #512665)
+  * debian/patches/04-CVE-2009-0040.diff: initialize pointers in pngread.c,
+    pngrtans.c, pngset.c and example.c (CVE-2009-0040) (Closes: #516256)
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it>  Sat, 14 Mar 2009 21:31:31 +0100
+
 libpng (1.2.27-2) unstable; urgency=medium
 
   * Fix CVE-2008-3964: off-by-one error in pngtest.c; closes: #501109 
diff -u libpng-1.2.27/debian/patches/series libpng-1.2.27/debian/patches/series
--- libpng-1.2.27/debian/patches/series
+++ libpng-1.2.27/debian/patches/series
@@ -2,0 +3,2 @@
+03-CVE-2008-5907.diff
+04-CVE-2009-0040.diff
only in patch2:
unchanged:
--- libpng-1.2.27.orig/debian/patches/03-CVE-2008-5907.diff
+++ libpng-1.2.27/debian/patches/03-CVE-2008-5907.diff
@@ -0,0 +1,12 @@
+fix for CVE-2008-5907 #512665
+--- a/pngwutil.c
++++ b/pngwutil.c
+@@ -1324,7 +1324,7 @@ png_check_keyword(png_structp png_ptr, p
+    if (key_len > 79)
+    {
+       png_warning(png_ptr, "keyword length must be 1 - 79 characters");
+-      new_key[79] = '\0';
++      (*new_key[79]) = '\0';
+       key_len = 79;
+    }
+ 
only in patch2:
unchanged:
--- libpng-1.2.27.orig/debian/patches/04-CVE-2009-0040.diff
+++ libpng-1.2.27/debian/patches/04-CVE-2009-0040.diff
@@ -0,0 +1,91 @@
+fix for CVE-2009-0040 #516256
+--- a/example.c
++++ b/example.c
+@@ -342,6 +342,10 @@ void read_png(FILE *fp, unsigned int sig
+    /* The easiest way to read the image: */
+    png_bytep row_pointers[height];
+ 
++   /* Clear the pointer array */
++   for (row = 0; row < height; row++)
++      row_pointers[row] = NULL;
++
+    for (row = 0; row < height; row++)
+    {
+       row_pointers[row] = png_malloc(png_ptr, png_get_rowbytes(png_ptr,
+--- a/pngread.c
++++ b/pngread.c
+@@ -1457,6 +1457,8 @@ png_read_png(png_structp png_ptr, png_in
+ #ifdef PNG_FREE_ME_SUPPORTED
+       info_ptr->free_me |= PNG_FREE_ROWS;
+ #endif
++      png_memset(info_ptr->row_pointers, 0, info_ptr->height
++         * png_sizeof(png_bytep));
+       for (row = 0; row < (int)info_ptr->height; row++)
+       {
+          info_ptr->row_pointers[row] = (png_bytep)png_malloc(png_ptr,
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -309,9 +309,7 @@ png_set_dither(png_structp png_ptr, png_
+ 
+          hash = (png_dsortpp)png_malloc(png_ptr, (png_uint_32)(769 *
+             png_sizeof (png_dsortp)));
+-         for (i = 0; i < 769; i++)
+-            hash[i] = NULL;
+-/*         png_memset(hash, 0, 769 * png_sizeof (png_dsortp)); */
++         png_memset(hash, 0, 769 * png_sizeof(png_dsortp));
+ 
+          num_new_palette = num_palette;
+ 
+@@ -4124,6 +4122,8 @@ png_build_gamma_table(png_structp png_pt
+      png_ptr->gamma_16_table = (png_uint_16pp)png_malloc(png_ptr,
+         (png_uint_32)(num * png_sizeof (png_uint_16p)));
+ 
++     png_memset(png_ptr->gamma_16_table, 0, num * png_sizeof(png_uint_16p)); 
++
+      if (png_ptr->transformations & (PNG_16_TO_8 | PNG_BACKGROUND))
+      {
+         double fin, fout;
+@@ -4184,6 +4184,8 @@ png_build_gamma_table(png_structp png_pt
+         png_ptr->gamma_16_to_1 = (png_uint_16pp)png_malloc(png_ptr,
+            (png_uint_32)(num * png_sizeof (png_uint_16p )));
+ 
++        png_memset(png_ptr->gamma_16_to_1, 0, num * 
png_sizeof(png_uint_16p)); 
++
+         for (i = 0; i < num; i++)
+         {
+            png_ptr->gamma_16_to_1[i] = (png_uint_16p)png_malloc(png_ptr,
+@@ -4207,6 +4209,9 @@ png_build_gamma_table(png_structp png_pt
+         png_ptr->gamma_16_from_1 = (png_uint_16pp)png_malloc(png_ptr,
+            (png_uint_32)(num * png_sizeof (png_uint_16p)));
+ 
++        png_memset(png_ptr->gamma_16_from_1, 0,
++           num * png_sizeof(png_uint_16p)); 
++
+         for (i = 0; i < num; i++)
+         {
+            png_ptr->gamma_16_from_1[i] = (png_uint_16p)png_malloc(png_ptr,
+--- a/pngset.c
++++ b/pngset.c
+@@ -429,7 +429,11 @@ png_set_pCAL(png_structp png_ptr, png_in
+        return;
+      }
+ 
+-   info_ptr->pcal_params[nparams] = NULL;
++#ifdef PNG_FREE_ME_SUPPORTED
++   info_ptr->free_me |= PNG_FREE_PCAL;
++#endif
++
++   png_memset(info_ptr->pcal_params, 0, (nparams + 1) * 
png_sizeof(png_charp));
+ 
+    for (i = 0; i < nparams; i++)
+    {
+@@ -445,9 +449,6 @@ png_set_pCAL(png_structp png_ptr, png_in
+    }
+ 
+    info_ptr->valid |= PNG_INFO_pCAL;
+-#ifdef PNG_FREE_ME_SUPPORTED
+-   info_ptr->free_me |= PNG_FREE_PCAL;
+-#endif
+ }
+ #endif
+

signature.asc
Description: OpenPGP digital signature

Bug#512665: libpng: proposed NMU to fix CVE-2008-5907 and CVE-2009-0040 in lenny

Reply via email to