Fedora 32: FEDORA-2020-daffd78c3d Critical: pngcheck Buffer Overflow Issue

pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the

internal 32-bit CRCs [checksums] and decompressing the image data); it can

optionally dump almost all of the chunk-level information in the image in

human-readable form. For example, it can be used to print the basic statistics

about an image (dimensions, bit depth, etc.); to list the color and

transparency info in its palette (assuming it has one); or to extract the

embedded text annotations. This is a command-line program with batch

capabilities.

The current release supports all PNG, MNG and JNG chunks, including the newly

approved sTER stereo-layout chunk. It correctly reports errors in all but two

of the images in Chris Nokleberg's brokensuite-20061204.

Previous fix for buffer overrun printing the contents of the sPLT chunk in

certain malformed inputs (RHBZ#1905775) was incomplete; it should be properly

fixed now. ---- Security fix for multiple buffer overflows from crafted file

input (RHBZ#1902786,1902806,1902810: no CVE yet assigned), and for buffer

overrun printing the contents of the sPLT chunk in certain malformed inputs

(RHBZ#1905775: no tracking bug or CVE yet assigned); also, new eXIf support and

assorted small bug fixes

* Mon Dec 14 2020 Benjamin A. Beasley - 2.4.0-5

- Previous fix for buffer overrun printing the contents of the sPLT chunk in

certain malformed inputs (RHBZ#1905775) was incomplete; it should be properly

fixed now.

* Sun Dec 13 2020 Benjamin A. Beasley - 2.4.0-4

- Bounds-check all accesses into enumerated-value name arrays; a malformed file

could have caused a buffer overrun in several of these cases. (RHBZ#1902810)

- Fix buffer overrun when print_buffer() is passed a nonpositive size, which

can occur in practice for certain malformed inputs. (RHBZ#1902810)

- In some cases, the chunk length from the file data (sz) is used to index into

the read buffer without sufficient bounds-checking, leading to a buffer

overrun. Fix this for PPLT, hIST, sCAL, FRAM, SAVE, nEED, PAST, DISC, DROP,

DBYK, ORDR, and SEEK chunks. (RHBZ#1902810)

- Fix buffer overrun printing the contents of the sPLT chunk in certain

malformed inputs. (RHBZ#1905775)

- Backport fix for off-by-one bug in check_magic() from 3.0.0

- Backport fix for zlib version warnings going to stdout from 3.0.0

- Use name macro when referencing patches.

- Add BR on make in anticipation of

https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot.

- New upstream version 2.4.0

- Added new license file for main package (same MIT-style license)

- Drop format-security patch, now upstreamed

- Use upstreamed man pages; no need to generate with help2man anymore

- Add rpmlintrc rules for -extras subpackage

- Add rpmlintrc file to suppress spurious rpmlint warnings

[ 1 ] Bug #1902806 - pngcheck: Multiple buffer overflows from crafted file input

https://bugzilla.redhat.com/show_bug.cgi?id=1902806

su -c 'dnf upgrade --advisory FEDORA-2020-daffd78c3d' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/