Bug 856522 – VUL-0: CVE-2013-6954: libpng: unhandled zero-length PLTE chunk or NULL palette

Bug 856522 - (CVE-2013-6954) VUL-0: CVE-2013-6954: libpng: unhandled zero-length PLTE chunk or NULL palette

(CVE-2013-6954)
Summary:	VUL-0: CVE-2013-6954: libpng: unhandled zero-length PLTE chunk or NULL palette

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-12-20 14:17 UTC by Victor Pereira
Modified:	2015-02-19 01:35 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2013-12-20 14:17:43 UTC

Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette().

references:

http://sourceforge.net/projects/libpng/files/libpng16/1.6.8/Gnupg/

Comment 1 Swamp Workflow Management 2013-12-23 23:00:11 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2014-01-03 09:25:48 UTC

Fix:

http://sourceforge.net/p/libpng/code/ci/1faa6ff32c648acfe3cf30a58d31d7aebc24968c

Comment 3 Petr Gajdos 2014-01-03 09:42:48 UTC

Do we have any testcase?

Comment 4 Petr Gajdos 2014-01-03 10:05:40 UTC

Or better testcases, as there are two fixes.

Comment 5 Sebastian Krahmer 2014-01-06 09:39:42 UTC

I could not find testcases, exploit or PoC. :/

Comment 17 Petr Gajdos 2014-01-10 10:54:45 UTC

libpng 12 and lipbng 15 are *not* affected.

Comment 18 Petr Gajdos 2014-01-10 10:55:25 UTC

Factory has 1.6.8, thus fixed.

Comment 19 Petr Gajdos 2014-01-10 10:55:55 UTC

What remains is libpng 1.6.6 in 13.1.

Comment 20 Petr Gajdos 2014-01-10 11:04:02 UTC

There:
alef:/856522> gcc -o rpng-plte rpng-plte.c -lpng
alef:/856522> gdb rpng-plte
(gdb) run
libpng warning: PLTE: Invalid palette
10x10 colortype: 3 bitdepth: 8

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bbc74f in png_do_expand_palette (row_info=row_info@entry=0x7fffffffe660, row=<optimized out>, palette=0x0, trans_alpha=0x0, num_trans=<optimized out>) at pngrtran.c:4675
4675	                  *dp-- = palette[*sp].blue;
(gdb) p palette
$1 = (const png_color *) 0x0

After fix:
alef:/856522> ./rpng-plte
libpng error: Invalid palette

Comment 24 Victor Pereira 2014-01-10 11:58:48 UTC

fixed

Comment 25 Swamp Workflow Management 2014-01-20 11:07:02 UTC

openSUSE-SU-2014:0100-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 856522
CVE References: CVE-2013-6954
Sources used:
openSUSE 13.1 (src):    libpng16-1.6.6-8.1