[CVE-2008-5907] libpng: png_check_keyword() in pngwutil.c might allow overwriting arbitrary memory location
Bug #324258 reported by
Till Ulen
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libpng (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Dapper |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Gutsy |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Hardy |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Intrepid |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Jaunty |
Fix Released
|
Low
|
Jamie Strandboge | ||
Bug Description
Binary package hint: libpng12-0
Description from the NVD:
"The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability."
http://
| Changed in libpng: | |
| status: | New → In Progress |
| importance: | Undecided → Low |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Low |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Low |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Low |
| assignee: | nobody → jdstrand |
| status: | New → In Progress |
| importance: | Undecided → Low |
| assignee: | nobody → jdstrand |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #5 |
| Changed in libpng: | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
This bug was fixed in the package libpng - 1.2.15~
---------------
libpng (1.2.15~
* SECURITY UPDATE: denial of service and possible execution of arbitrary
code via crafted image (LP: #338027)
- initialize pointers in pngread.c, pngrtans.c, pngset.c and example.c
- CVE-2009-0040
* SECURITY UPDATE: denial of service and possible execution of arbitrary
code via crafted image (LP: #217128)
- initialize "unknown" chunks in pngpread.c, pngrutil.c and pngset.c
- CVE-2008-1382
* SECURITY UPDATE: denial of service via off-by-one error
- shorten tIME_string to 29 bytes in pngtest.c
- CVE-2008-3964
* SECURITY UPDATE: denial of service via incorrect memory assignment
(LP: #324258)
- update pngwutil.c to properly set new_key to NULL string
- CVE-2008-5907
* SECURITY UPDATE: denial of service via a crafted PNG image
- fix for pngset.c to properly check palette size in png_set_hIST
- CVE-2007-5268
* SECURITY UPDATE: denial of service via a crafted PNG image
- fix for pngpread.c and pngrutil.c to properly do bounds checking on read
operations. Previous version only had a partial fix.
- CVE-2007-5269
-- Jamie Strandboge <email address hidden> Thu, 05 Mar 2009 06:39:46 -0600