Skip to content. | Skip to navigation

Personal tools
You are here: Home News 080509 libpng-1.2.29

080509 libpng-1.2.29

— filed under:

Libpng security update

Libpng-1.2.26 security advisory

A security issue was found in libpng:

Libpng-1.2.26 security advisory -- April 12, 2008; revised April 14, 2008

This bug has been identified as CVE-2008-1382.

Tavis Ormandy advised us of a bug in libpng in its handling of
unknown chunks with zero data length.

We have examined the report and find that the bug exists in all
libpng versions since 1.0.6.  It only manifests itself when all
three of the following conditions exist:

   1. The application is loaded with libpng-1.0.6 through 1.0.32,
      libpng-1.2.0 through 1.2.26, or libpng-1.4.0beta01 through
      libpng-1.4.0beta19, and

   2. libpng was built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
      or with PNG_READ_USER_CHUNKS_SUPPORTED (both are active
      in default libpng installations), and

   3. the application includes either a call to

          png_set_read_user_chunk_fn(png_ptr, user_ptr, callback_fn)

      or a call to

          png_set_keep_unknown_chunks(png_ptr, keep, list, N)

             with keep = PNG_HANDLE_CHUNK_IF_SAFE (2)
             or   keep = PNG_HANDLE_CHUNK_ALWAYS  (3)

We believe this is a rare circumstance.  It occurs in "pngtest"
that is a part of the libpng distribution, in pngcrush, and in
recent versions of ImageMagick (6.2.5 through 6.4.0-4).  We are
not aware of any other vulnerable applications.
When an application with the bug is run, libpng will generate spurious
warning messages about a CRC error in the zero-length chunk and an
out-of-memory condition, unless warnings are being suppressed.  There
is not actually a memory overflow, but the NULL pointer returned from
the memory allocator when it tries to generate a zero-length buffer
for the chunk data triggers the warning.  Later, there may be an error
when the application tries to free the non-existent buffer.  This has
been observed to cause a segmentation violation in pngtest.

Libpng-1.2.27 and later, and 1.0.33 and later, will not be vulnerable.
These are in beta and will be released on or about April 30, 2008.
Libpng-1.2.27beta01, which was released on April 12, is also not

We recommend to upgrade libpng from the testing repository:

root:# slapt-get --update && slapt-get --install libpng

Document Actions