Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2007-5269

Published: 8 October 2007

Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.

Notes

AuthorNote
jdstrand
assigned medium because of wide install base
looking at diff between 1.2.20 and 1.2.21, it appears that Ubuntu
is affected, though Debian thinks not.  After weeding out the changes,
there are 9 chunks over pngpread.c and pngrutil.c that appear to be for
this CVE (the original patch improperly used png_strncpy, where our versions
have png_strcpy).  TODO: get a reproducer and/or verify png_strcpy is really
not vulnerable.
after talking on IRC, Debian agreed they are in fact affected
2007/10/24 RH update:
https://rhn.redhat.com/errata/RHSA-2007-0992.html
RH has added code to pngrtran.c that was not included upstream.
Sticking with changes to pngpread.c and pngrutil.c until upstream can
provide a reproducer.

Priority

Medium

Status

Package Release Status
libpng
Launchpad, Ubuntu, Debian
upstream
Released (1.0.29 and 1.2.21)
dapper
Released (1.2.8rel-5ubuntu0.3)
edgy
Released (1.2.8rel-5.1ubuntu0.3)
feisty
Released (1.2.15~beta5-1ubuntu1.1)
gutsy
Released (1.2.15~beta5-2ubuntu0.1)