Your message dated Sun, 16 Jul 2006 16:42:18 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in NMU of libpng 1.2.8rel-5.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libpng
Version: 1.2.8rel-5.1 1.0.18-1 1.0.12-3.woody.9
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3334: "Buffer overflow in the png_decompress_chunk function in
pngrutil.c in libpng before 1.2.12 allows context-dependent attackers
to cause a denial of service and possibly execute arbitrary code via
unspecified vectors related to "chunk error processing," possibly
involving the "chunk_name"."
This was announced by upstream and fixed in 1.2.12 and 10.0.20. The
versions in Sarge and Woody are vulnerable. I have not seen a sample
exploit.
Attached is a patch that applies to all the sarge and woody versions
with a bit of offset. I couldn't find a public version control system,
so I created this patch from a diff between 1.0.19 and 1.0.20; it's the
same diff as from 1.2.11 to 1.2.12. If you wade through all the version
changes, the only file touched is pngrutil.c.
Please mention the CVE in your changelog.
Thanks,
Alec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFErxt0Aud/2YgchcQRAtGAAJ9BzbLTRtgoTvXDlMpkq0PY8QusCgCeJqAy
iAio7/ZrXhcIZN45XnWnJag=
=tG1l
-----END PGP SIGNATURE-----
diff -u libpng-1.0.19/pngrutil.c libpng-1.0.20/pngrutil.c
--- libpng-1.0.19/pngrutil.c 2006-06-26 08:43:13.000000000 -0400
+++ libpng-1.0.20/pngrutil.c 2006-06-27 16:20:49.000000000 -0400
@@ -276,7 +276,7 @@
if (ret != Z_STREAM_END)
{
#if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE)
- char umsg[50];
+ char umsg[52];
if (ret == Z_BUF_ERROR)
sprintf(umsg,"Buffer error in compressed datastream in %s chunk",
--- End Message ---
--- Begin Message ---
Version: 1.2.8rel-5.2
I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:
> libpng (1.2.8rel-5.2) unstable; urgency=low
> .
> * Non-maintainer upload.
> * Backport changes from 1.2.12 to fix a buffer overflow in
> png_decompress_chunk; patch by Alec Berryman. [CVE-2006-3334]
> (Closes: #377298)
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
