Bug 148214 - [security] [maintainer-update] graphics/png image decode buffer overrun
Summary: [security] [maintainer-update] graphics/png image decode buffer overrun
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Dirk Meyer
Depends on:
Reported: 2010-06-28 17:50 UTC by dirk.meyer
Modified: 2010-06-29 14:20 UTC (History)
0 users

See Also:

file.diff (2.84 KB, patch)
2010-06-28 17:50 UTC, dirk.meyer
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description dirk.meyer 2010-06-28 17:50:00 UTC
Several versions of libpng through 1.4.2 (and through 1.2.43 in the older
series) contain a bug whereby progressive applications such as web browsers
(or the rpng2 demo app included in libpng) could receive an extra row of
image data beyond the height reported in the header, potentially leading
to an out-of-bounds write to memory (depending on how the application is
written) and the possibility of execution of an attacker's code with the
privileges of the libpng user (including remote compromise in the case of
a libpng-based browser visiting a hostile web site). This vulnerability
has been assigned ID CVE-2010-1205 (via Mozilla).

An additional memory-leak bug, involving images with malformed sCAL chunks,
is also present; it could lead to an application crash (denial of service)
when viewing such images.


Fix: The API changes in 1.4.3. seems backward compatible.
	Old xv and gqview binaries tested sucessful with new shared lib.

	The dither function have been enabled in the port 1.4.1_1,
	because a few ports still uses this API.
	In 1.4.3. the API is back with new name.
	Old knews binary tested sucessful with new shared lib.

	Impact: Packages should eb rebuild to record the new dependency.

	Please have an exp run to see if there is any breakage.

	Please approve the patch below.
	Update needs appoval from portmrg@
Comment 1 Edwin Groothuis freebsd_committer 2010-06-28 17:52:26 UTC
Class Changed
From-To: maintainer-update->change-request

Fix category (submitter is not maintainer) (via the GNATS Auto Assign 
Comment 2 Edwin Groothuis freebsd_committer 2010-06-28 17:52:29 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 3 Dirk Meyer freebsd_committer 2010-06-28 17:58:04 UTC
Responsible Changed
From-To: dinoex->portmgr

over for review and approval
Comment 4 Xin LI freebsd_committer 2010-06-28 18:39:49 UTC
Class Changed
From-To: change-request->maintainer-update

Note that this is a maintainer update.  While I'm there tag 
it as [security] as this is rather critical issue.
Comment 5 Pav Lucistnik freebsd_committer 2010-06-29 14:11:06 UTC
State Changed
From-To: open->closed
Comment 6 Pav Lucistnik freebsd_committer 2010-06-29 14:15:10 UTC
Responsible Changed
From-To: portmgr->dinoex

Looks good -- i have just committed it, to cut down on time the port is still 
forbidden. Hope you don't mind
Comment 7 dfilter service freebsd_committer 2010-06-29 14:15:12 UTC
pav         2010-06-29 13:14:53 UTC

  FreeBSD ports repository

  Modified files:
    graphics/png         Makefile distinfo 
    graphics/png/files   patch-libpng.pc.in 
  Removed files:
    graphics/png/files   patch-pngconf.h 
  - Update to 1.4.3
  PR:             ports/148214
  Submitted by:   dinoex (maintainer)
  Approved by:    portmgr
  Security:       CVE-2010-1205
  Feature safe:   yes
  Revision  Changes    Path
  1.111     +1 -4      ports/graphics/png/Makefile
  1.56      +6 -6      ports/graphics/png/distinfo
  1.5       +1 -1      ports/graphics/png/files/patch-libpng.pc.in
  1.2       +0 -11     ports/graphics/png/files/patch-pngconf.h (dead)
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"