Bug 856522 - (CVE-2013-6954) VUL-0: CVE-2013-6954: libpng: unhandled zero-length PLTE chunk or NULL palette
VUL-0: CVE-2013-6954: libpng: unhandled zero-length PLTE chunk or NULL palette
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-12-20 14:17 UTC by Victor Pereira
Modified: 2015-02-19 01:35 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-12-20 14:17:43 UTC
Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette().


Comment 1 Swamp Workflow Management 2013-12-23 23:00:11 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2014-01-03 09:42:48 UTC
Do we have any testcase?
Comment 4 Petr Gajdos 2014-01-03 10:05:40 UTC
Or better testcases, as there are two fixes.
Comment 5 Sebastian Krahmer 2014-01-06 09:39:42 UTC
I could not find testcases, exploit or PoC. :/
Comment 17 Petr Gajdos 2014-01-10 10:54:45 UTC
libpng 12 and lipbng 15 are *not* affected.
Comment 18 Petr Gajdos 2014-01-10 10:55:25 UTC
Factory has 1.6.8, thus fixed.
Comment 19 Petr Gajdos 2014-01-10 10:55:55 UTC
What remains is libpng 1.6.6 in 13.1.
Comment 20 Petr Gajdos 2014-01-10 11:04:02 UTC
alef:/856522> gcc -o rpng-plte rpng-plte.c -lpng
alef:/856522> gdb rpng-plte
(gdb) run
libpng warning: PLTE: Invalid palette
10x10 colortype: 3 bitdepth: 8

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bbc74f in png_do_expand_palette (row_info=row_info@entry=0x7fffffffe660, row=<optimized out>, palette=0x0, trans_alpha=0x0, num_trans=<optimized out>) at pngrtran.c:4675
4675	                  *dp-- = palette[*sp].blue;
(gdb) p palette
$1 = (const png_color *) 0x0

After fix:
alef:/856522> ./rpng-plte
libpng error: Invalid palette
Comment 24 Victor Pereira 2014-01-10 11:58:48 UTC
Comment 25 Swamp Workflow Management 2014-01-20 11:07:02 UTC
openSUSE-SU-2014:0100-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 856522
CVE References: CVE-2013-6954
Sources used:
openSUSE 13.1 (src):    libpng16-1.6.6-8.1