Bug 1100687 (CVE-2018-13785) - VUL-1: CVE-2018-13785: libpng,libpng12,libpng15,libpng12-0,libpng16: wrong calculation of row_factor in thepng_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while
Summary: VUL-1: CVE-2018-13785: libpng,libpng12,libpng15,libpng12-0,libpng16: wrong ca...
Status: RESOLVED FIXED
Alias: CVE-2018-13785
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/210174/
Whiteboard: CVSSv3:SUSE:CVE-2018-13785:3.3:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-10 06:23 UTC by Marcus Meissner
Modified: 2023-04-07 08:56 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
crash1.png (1.99 KB, image/png)
2018-07-10 06:43 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-07-10 06:23:04 UTC
CVE-2018-13785

In libpng 1.6.34, a wrong calculation of row_factor in the
png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and
resultant divide-by-zero while processing a crafted PNG file, leading to a
denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13785
https://sourceforge.net/p/libpng/bugs/278/
https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2
Comment 1 Marcus Meissner 2018-07-10 06:43:47 UTC
Created attachment 776528 [details]
crash1.png

reproducer, but with invalid CRC, so our tools wont see it
Comment 3 Karol Babioch 2018-07-19 14:31:58 UTC
The code in question has been moved into its own function with upstream commit 2dca15686f. Beforehand it was residing in png_push_read_chunk() in pngpread.c. The vulnerable code itself was added with 095b4ce16b:

+         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+          + 1 + (png_ptr->interlaced? 6: 0));

This commit firstly appeared in release v1.6.32. Hence all older versions of libpng should be vulnerable.

Only libpng16 for the following codestreams needs to be addressed:

SUSE:SLE-12:Update
SUSE:SLE-15:Update
Comment 4 Petr Gajdos 2018-08-01 07:50:15 UTC
(In reply to Marcus Meissner from comment #1)
> Created attachment 776528 [details]
> crash1.png
> 
> reproducer, but with invalid CRC, so our tools wont see it

Indeed.

$ identify crash1.png
identify: IHDR: CRC error `crash1.png' @ error/png.c/MagickPNGErrorHandler/1711.
$
Comment 5 Swamp Workflow Management 2018-08-01 08:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1100687) was mentioned in
https://build.opensuse.org/request/show/626863 Factory / libpng16
Comment 7 Petr Gajdos 2018-08-01 09:13:31 UTC
I think only devel/libpng16 and 15/libpng16 are affected by CVE-2018-13785.

Packages submitted.
Comment 12 Swamp Workflow Management 2019-05-31 14:23:32 UTC
SUSE-SU-2019:1398-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libpng16-1.6.34-3.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libpng16-1.6.34-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-06-07 19:10:27 UTC
openSUSE-SU-2019:1530-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
openSUSE Leap 15.1 (src):    libpng16-1.6.34-lp151.3.3.1
openSUSE Leap 15.0 (src):    libpng16-1.6.34-lp150.2.3.1
Comment 14 Swamp Workflow Management 2019-07-05 16:15:11 UTC
SUSE-SU-2019:1398-2: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libpng16-1.6.34-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libpng16-1.6.34-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Alexandros Toptsoglou 2020-07-10 11:41:29 UTC
Done