Ubuntu
libpng package

CVE-2010-0205 libpng stalls and consumes large quantities of memory while processing certain PNG files

Bug #533140 reported by Anibal Monsalve Salazar on 2010-03-06

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libpng (Debian)	Fix Released	Unknown	debbugs #572308
	libpng (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
https://www.kb.cert.org/vuls/id/576029

libpng stalls on highly compressed ancillary chunks

Libpng stalls and consumes large quantities of memory while processing
certain Portable Network Graphics (PNG) files.

When processing PNG files containing highly compressed ancillary chunks,
the png_decompress_chunk() function in libpng can consume large amounts
of CPU time and memory. This resource consumption may hang applications
that use libpng. More information is available in the PNG Development
Group security advisory and supplementary document, Defending Libpng
Applications Against Decompression Bombs.

This vulnerability could allow an unauthenticated, remote attacker to
cause a denial of service.

http://libpng.sourceforge.net/decompression_bombs.html

Libpng provides functions to limit memory consumption and number of
cached ancillary chunks. Applications that use libpng should use these
functions to set appropriate limits. Please see defense #2 in the
document Defending Libpng Applications Against Decompression Bombs (see
web page above) for more information.

Developers who build versions of libpng can choose to ignore ancillary
chunks by defining specific preprocessor macros. Please see defense #3
in the document Defending Libpng Applications Against Decompression
Bombs (see web page above) for more information.

Related branches

lp:ubuntu/jaunty-security/libpng

lp:ubuntu/intrepid-security/libpng

lp:ubuntu/karmic-security/libpng

lp:ubuntu/dapper-security/libpng

lp:ubuntu/hardy-security/libpng

lp:ubuntu/lucid/libpng

CVE References

2010-0205

Marc Deslauriers (mdeslaur) on 2010-03-09

visibility:	private → public
Changed in libpng (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-03-16:

This bug was fixed in the package libpng - 1.2.37-1ubuntu0.1

---------------
libpng (1.2.37-1ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service via decompression bomb (LP: #533140)
    - debian/patches/02-CVE-2010-0205.patch: use new two-pass decompression
      method in pngrutil.c.
    - CVE-2010-0205
-- Marc Deslauriers <email address hidden> Fri, 12 Mar 2010 10:53:26 -0500

Changed in libpng (Ubuntu):
status:	Confirmed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2010-04-01

Changed in libpng (Debian):
status:	Unknown → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #572308
[done serious security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulibpng package