Re: [png-mng-implement] CVE-2004-0421

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

There was a merge of 1.4 fixes with 1.2.30, so all current versions
1.0.x, 1.2.x, 1.4.x, and 1.5.x have the bug that seems to
have reappeared in 1.2.23.

It allows an attacker to write a single character
after the end of the (18+64)-byte buffer (the 65'th
character of the error message or whatever follows
in that memory location beyond the error message; none
of the libpng error messages are that long),
as in CVE-2004-0421.  I don't know if anyone has
figured out how to exploit that vulnerability.

I guess we need to release new libpng-1.0 and 1.2 along
with the planned 1.4 and 1.5, to patch this.

Glenn

----- Original Message -----
From: Glenn Randers-Pehrson <gl...@gm...>
To: PNG/MNG implementation discussion list <png...@li...>
Sent: Tue, 07 Jun 2011 16:37:23 -0000 (UTC)
Subject: Re: [png-mng-implement] CVE-2004-0421

The 1.4 branch happened around 1.2.19 or 1.2.20 so it's possible that
the bugfix did not get propagated to 1.4 and consequently to 1.5.

Glenn