Bug 1124211 - (CVE-2019-7317) VUL-1: CVE-2019-7317: libpng,libpng12,libpng15,libpng12-0,libpng16: libpng has a use-after-free because png_image_free_function is called under png_safe_execute
(CVE-2019-7317)
VUL-1: CVE-2019-7317: libpng,libpng12,libpng15,libpng12-0,libpng16: libpng ha...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/224158/
CVSSv2:NVD:CVE-2019-7317:2.6:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-04 18:12 UTC by Alexandros Toptsoglou
Modified: 2020-05-12 18:33 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-02-04 18:12:04 UTC
CVE-2019-7317

png_image_free in png.c in libpng 1.6.36 has a use-after-free because
png_image_free_function is called under png_safe_execute.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7317
https://github.com/glennrp/libpng/issues/275
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
Comment 1 Alexandros Toptsoglou 2019-02-04 18:24:34 UTC
According to upstream this issue will be fixed in the next update of libpng. A fix with instructions for reproducing the issue can be found at [1]. 
After code review, it seems that all the versions from 1.5.7 and on are affected. Specifically, the vulnerable functionality was introduced with commit [2]. 
Thus regarding our packages:

libpng15 is affected (SLE12SP1)
libpng16 is affected (SLE15 and SLE12)

[1] https://github.com/glennrp/libpng/issues/275
[2] https://github.com/glennrp/libpng/commit/7875d534cb7967a737afdee090dd69e68661d4bf
Comment 2 Petr Gajdos 2019-02-05 15:52:02 UTC
For 1.6.36, I really get:

$ gcc -o png_uar png_uar.c -lasan -lz -lpng
$ ASAN_OPTIONS=detect_stack_use_after_return=1 ./png_uar
=================================================================
==32613==ERROR: AddressSanitizer: stack-use-after-return on address 0x7fc8292000b0 at pc 0x7fc82cd80a0f bp 0x7ffcd8b20370 sp 0x7ffcd8b20368
WRITE of size 8 at 0x7fc8292000b0 thread T0
    #0 0x7fc82cd80a0e in png_safe_execute /usr/src/debug/libpng16-1.6.36-0.x86_64/pngerror.c:954
    #1 0x7fc82cd7d929 in png_image_free /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:4592
    #2 0x7fc82cd7d929 in png_image_free /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:4582
    #3 0x7fc82cd809ff in png_safe_execute /usr/src/debug/libpng16-1.6.36-0.x86_64/pngerror.c:958
    #4 0x557e26654241 in main (/124211/png_uar+0x1241)
    #5 0x7fc82cbc301a in __libc_start_main (/lib64/libc.so.6+0x2401a)
    #6 0x557e26654089 in _start (/124211/png_uar+0x1089)

Address 0x7fc8292000b0 is located in stack of thread T0 at offset 48 in frame
    #0 0x7fc82cd7151f in png_image_free_function /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:4523

  This frame has 1 object(s):
    [32, 80) 'c' <== Memory access at offset 48 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /usr/src/debug/libpng16-1.6.36-0.x86_64/pngerror.c:954 in png_safe_execute
Shadow bytes around the buggy address:
  0x0ff985237fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985237fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985237fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985237ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238000: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x0ff985238010: f5 f5 f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 00 00 00 00
  0x0ff985238020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32613==ABORTING
$
Comment 3 Petr Gajdos 2019-02-05 16:13:06 UTC
15/libpng16: get the ASAN report
12/libpng16: do not get the ASAN report
Comment 4 Petr Gajdos 2019-02-06 13:38:18 UTC
As far as I can see, 12sp1/libpng15. According to CHANGES:

Version 1.5.7beta02 [November 11, 2011]
  Simplified read/write API initial version; basic read/write tested on
    a variety of images, limited documentation (in the header file.)
[..]
Version 1.5.7beta05 [November 25, 2011]
  Backed out 'simplified' API changes. The API seems too complex and there
    is a lack of consensus or enthusiasm for the proposals.  The API also
    reveals significant bugs inside libpng (double gamma correction and the
    known bug of being unable to retrieve a corrected palette). It seems
    better to wait until the bugs, at least, are corrected.

As far as I can see, they never get it into 1.5 anymore. So it seems it is 1.6 specific.

Even if Cosmin already posted a patch in the bug as a comment, I would rather wait a while for inclusion into code base.
Comment 5 Petr Gajdos 2019-02-06 13:38:56 UTC
(In reply to Petr Gajdos from comment #4)
> As far as I can see, 12sp1/libpng15. According to CHANGES:

As far as I can see, 12sp1/libpng15 is not affected.
Comment 6 Petr Gajdos 2019-04-17 06:35:32 UTC
I think asan has no detect_stack_use_after_return feature in 12.
Comment 7 Petr Gajdos 2019-04-17 06:35:59 UTC
(At least what strings say.)
Comment 8 Petr Gajdos 2019-04-17 06:49:08 UTC
AFTER

15/libpng16

$ ./png_uar
$
Comment 9 Petr Gajdos 2019-04-17 06:54:29 UTC
Packages submitted for 15,12/libpng16.
Comment 10 Petr Gajdos 2019-04-17 06:54:46 UTC
I believe all fixed.
Comment 12 Swamp Workflow Management 2019-05-31 14:23:48 UTC
SUSE-SU-2019:1398-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libpng16-1.6.34-3.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libpng16-1.6.34-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-06-07 19:10:42 UTC
openSUSE-SU-2019:1530-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
openSUSE Leap 15.1 (src):    libpng16-1.6.34-lp151.3.3.1
openSUSE Leap 15.0 (src):    libpng16-1.6.34-lp150.2.3.1
Comment 14 Swamp Workflow Management 2019-07-05 16:15:25 UTC
SUSE-SU-2019:1398-2: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libpng16-1.6.34-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libpng16-1.6.34-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-11-25 20:16:38 UTC
SUSE-SU-2019:3060-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124211,1141493
CVE References: CVE-2017-12652,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP5 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP4 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    libpng16-1.6.8-15.5.2
SUSE CaaS Platform 3.0 (src):    libpng16-1.6.8-15.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-03-03 14:14:08 UTC
SUSE-SU-2019:3060-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124211,1141493
CVE References: CVE-2017-12652,CVE-2019-7317
Sources used:
SUSE OpenStack Cloud 8 (src):    libpng16-1.6.8-15.5.2
SUSE OpenStack Cloud 7 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libpng16-1.6.8-15.5.2
SUSE Enterprise Storage 5 (src):    libpng16-1.6.8-15.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Alexandros Toptsoglou 2020-04-29 14:01:34 UTC
Done