From: <gl...@co...> - 2011-06-07 17:27:44
|
There was a merge of 1.4 fixes with 1.2.30, so all current versions 1.0.x, 1.2.x, 1.4.x, and 1.5.x have the bug that seems to have reappeared in 1.2.23. It allows an attacker to write a single character after the end of the (18+64)-byte buffer (the 65'th character of the error message or whatever follows in that memory location beyond the error message; none of the libpng error messages are that long), as in CVE-2004-0421. I don't know if anyone has figured out how to exploit that vulnerability. I guess we need to release new libpng-1.0 and 1.2 along with the planned 1.4 and 1.5, to patch this. Glenn ----- Original Message ----- From: Glenn Randers-Pehrson <gl...@gm...> To: PNG/MNG implementation discussion list <png...@li...> Sent: Tue, 07 Jun 2011 16:37:23 -0000 (UTC) Subject: Re: [png-mng-implement] CVE-2004-0421 The 1.4 branch happened around 1.2.19 or 1.2.20 so it's possible that the bugfix did not get propagated to 1.4 and consequently to 1.5. Glenn |