Package: libpng
Version: 1.2.8rel-5.1 1.0.18-1 1.0.12-3.woody.9
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3334: "Buffer overflow in the png_decompress_chunk function in
pngrutil.c in libpng before 1.2.12 allows context-dependent attackers
to cause a denial of service and possibly execute arbitrary code via
unspecified vectors related to "chunk error processing," possibly
involving the "chunk_name"."
This was announced by upstream and fixed in 1.2.12 and 10.0.20. The
versions in Sarge and Woody are vulnerable. I have not seen a sample
exploit.
Attached is a patch that applies to all the sarge and woody versions
with a bit of offset. I couldn't find a public version control system,
so I created this patch from a diff between 1.0.19 and 1.0.20; it's the
same diff as from 1.2.11 to 1.2.12. If you wade through all the version
changes, the only file touched is pngrutil.c.
Please mention the CVE in your changelog.
Thanks,
Alec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFErxt0Aud/2YgchcQRAtGAAJ9BzbLTRtgoTvXDlMpkq0PY8QusCgCeJqAy
iAio7/ZrXhcIZN45XnWnJag=
=tG1l
-----END PGP SIGNATURE-----
diff -u libpng-1.0.19/pngrutil.c libpng-1.0.20/pngrutil.c
--- libpng-1.0.19/pngrutil.c 2006-06-26 08:43:13.000000000 -0400
+++ libpng-1.0.20/pngrutil.c 2006-06-27 16:20:49.000000000 -0400
@@ -276,7 +276,7 @@
if (ret != Z_STREAM_END)
{
#if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE)
- char umsg[50];
+ char umsg[52];
if (ret == Z_BUF_ERROR)
sprintf(umsg,"Buffer error in compressed datastream in %s chunk",
