libpng malformed cHRM divide-by-zero vulnerability

2011-09-22T00:00:00
ID VU:477046
Type cert
Reporter CERT
Modified 2011-09-23T11:27:00

Description

Overview

libpng crashes when processing malformed cHRM chunks.

Description

When libpng encounters a cHRM chunk that is malformed it will perform a divide-by-zero causing libpng to crash. This bug was introduced in libpng version 1.5.4 and has been fixed in libpng version 1.5.5.


Impact

By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.

The PNG Development Group has stated that: Such malformed PNG files are not necessarily malevolent (ones have been observed on the Internet that were created by accident) but they will cause a crash anyway.


Solution

Apply an Update

This vulnerability is addressed in the following libpng versions: libpng-1.5.5


The PNG Development Group recommends upgrading to libpng-1.5.5. However, if you must continue to use libpng-1.5.4, you can apply the following patch to libpng-1.5.4:

_--- a/libpng/pngrutil.c
+++ b/libpng/pngrutil.c
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop
info_ptr, png_uint_32 length)
*/
png_uint_32 w = y_red + y_green + y_blue;

- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue

- 32768)/w);
+ if (w != 0)
+ {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue

+ 32768)/w);
+ }
}
}

endif_


Vendor Information

According to The PNG Development Group: Those that use a "system" libpng that happens to be libpng-1.5.4 are vulnerable to a divide-by-zero crash. Mozilla products that use the embedded libpng are not vulnerable.


477046

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ libpng

Updated: September 22, 2011

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

<ftp://ftp.simplesystems.org/pub/png/src http://libpng.sf.net/index.html>

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

Credit

Thanks to Glenn Randers-Pehrson of the PNG Development Group for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: | CVE, 2011-3328
---|---
Severity Metric:** | 0.06
Date Public:
| 2011-09-22
Date First Published: | 2011-09-22
Date Last Updated: | 2011-09-23 11:27 UTC
Document Revision: | 15