PATCHING LIBPNG-1.2.5 INTRODUCTION This directory contains a set of patches for libpng vulnerabilities reported in July 2004, and some other earlier-reported vulnerabilties. This document, plus the patches and new libpng-1.2.6rc1 distribution, constitute the PNG Development Group's "vendor response" to the vulnerability reports. The worst of the vulnerabilities is a buffer overflow that can occur while reading the tRNS chunk, which is Item 1 of CAN-2004-0597. To defend against this, you can patch libpng using the patches listed below. COPYRIGHT and LICENSE Copyright 2004, Glenn Randers-Pehrson These patches are distributed according to the same terms and conditions as libpng itself, as described in png.h. PATCHING applications You can also bullet-proof your *application* whether it is being run with a vulnerable libpng or not. Use a warning callback (which you register with libpng's png_read_create_struct() ) similar to this: void warning_callback(png_structp png_ptr, png_const_charp warning_msg) { /* convert tRNS warning to error */ if (strncmp(warning_msg,"Missing PLTE before tRNS",24) == 0) png_error(png_ptr, warning_msg); printf("libpng warning: %s.\n",warning_msg); } If you already have a warning callback function, just add the two-line "if (strncmp ... png_error()" statement. You can also protect your application from existing or future vulnerabilities in the parts of libpng that process chunks that you don't use. This method will cause libpng to skip over your unused chunks. You will need to add or subtract chunk names from the list, as appropriate for your application. #if defined(PNG_UNKNOWN_CHUNKS_SUPPORTED) png_byte unused_chunks[]= { 104, 73, 83, 84, '\0', /* hIST */ 105, 84, 88, 116, '\0', /* iTXt */ 112, 67, 65, 76, '\0', /* pCAL */ 115, 67, 65, 76, '\0', /* sCAL */ 115, 80, 76, 84, '\0', /* sPLT */ 116, 69, 88, 116, '\0', /* tEXt */ 116, 73, 77, 69, '\0', /* tIME */ 122, 84, 88, 116, '\0', /* zTXt */ }; #endif There is a complete list of integer representations of chunk types in png.h starting at line 2644. Put the following after your png_read_create_struct(): #if defined(PNG_UNKNOWN_CHUNKS_SUPPORTED) /* Ignore unused chunks */ png_set_keep_unknown_chunks(png_ptr, 0, unused_chunks, (int)sizeof(unused_chunks)/5); #endif You may also wish to place limits on the width and height of images that you will accept. Test for images exceeding your chosen limit immediately after your call to png_get_IHDR(). The new default limit in libpng-1.2.6rc1 and in patch11, below, is 1 million rows and 1 million columns (down from the default 2.147 billion in previous versions). PATCHING LIBPNG LIBRARIES Here are combined patches for patching pristine libpng distributions: The combined patches now contain patch11. You don't have to apply that separately. Combined patches not available for libpng-0.90 and earlier. Just use libpng-patch03a-trns-chunk-overflow.txt to fix the most dangerous vulnerability in versions 0.89 through 0.90. You should also apply libpng-patch11c-limit-dimensions.txt libpng-0.90 and libpng-patch11d-limit-dimensions.txt to libpng-0.89c. libpng-0.89c-all-patches.txt Combines patches 03a and 11d Use to patch libpng-0.89c. libpng-0.90-all-patches.txt Combines patches 03a and 11c Use to patch libpng-0.90. (Note: 0.91 through 0.94 never existed). libpng-0.95-all-patches.txt Combines patches 03a, 04c, 05, 06a, and 11b Use to patch libpng-0.95. libpng-1.0.1-all-patches.txt Combines patches 03a, 04c, 05, 06a, and 11a Use to patch libpng-0.96, 0.98, 0.99, 1.0.0, and libpng-1.0.1 Does not work with libpng-0.90 and earlier (0.91 through 0.94 never existed). libpng-1.0.3-all-patches.txt Combines patches 00-01, 03a, 04b, 05, 06a, and 11a Use to patch libpng-1.0.2 and 1.0.3 libpng-1.0.5-all-patches.txt Combines patches 00-01, 03a, 04a, 05, 06a, and 11a Use to patch libpng-1.0.5 libpng-1.0.8-all-patches.txt Combines patches 00-01, 03b, 04-05, 06a, 07, 08a, 10, and 11a Use to patch libpng-1.0.6, 1.0.7, and 1.0.8 libpng-1.0.9-all-patches.txt Combines patches 00-01, 02a, 03-05, 06a, 07, 08a, 09-10, and 11a Use to patch libpng-1.0.9 libpng-1.2.1-all-patches.txt Combines patches 00-01, 02a, 03-05, 06a, 07, 08a, and 09-11 Use to patch libpng-1.0.10 through 1.0.12, 1.2.0, and 1.2.1 libpng-1.2.2-all-patches.txt Combines patches 00-01, 02a, 03-07, 08a and 09-11 Use to patch libpng-1.0.13 and 1.2.2 libpng-1.2.3-all-patches.txt Combines patches 00-07, 08a and 09-11 Use to patch libpng-1.2.3 libpng-1.2.5-all-patches.txt Combines patches 00 through 11 Use to patch libpng-1.0.14, 1.0.15, 1.2.4, and 1.2.5 PATCHING LIBPNG FOR INDIVIDUAL VULNERABILITIES Individual patches for each vulnerability, if you want to pick and choose which ones to fix: libpng-patch00-pngrtran-filler-RRGGBB-overflow.txt Fixes bug that was introduced in version 1.0.2 This bug was widely publicised in December 2002 and has been fixed in many Linux distributions. Miter named this vulnerability CAN-2002-1363. Use to patch libpng-1.0.5 through 1.2.5 libpng-patch01-pngrtran-filler-GG-overflow.txt Fixes bug that was introduced in version 1.0.2 This bug was also publicised around January 2003. Because of its similarity to patch00, there has been some confusion and hardly anyone has applied this patch. There was a flurry of bug reports about this in June 2004 when people noticed that only half of the problem had been fixed. Mitre has assigned a new name, CAN-2004-0768, to this vulnerability. Use to patch libpng-1.0.5 through 1.2.5 libpng-patch02-pngerror-memcpy-overflow.txt This bug was discovered in April 2004 and has been widely reported and patched. Use to patch libpng-1.0.14, 1.0.15, 1.2.4, and 1.2.5 Use libpng-patch02a-pngerror-memcpy-overflow.txt to patch libpng-1.0.9 through 1.0.13, 1.2.0 through 1.2.3 libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities, which is CERT VU#388984 and Item 1 of CAN-2004-0597 Use libpng-patch03b-trns-chunk-overflow.txt to patch libpng-1.0.6 through 1.0.8. Use libpng-patch03a-trns-chunk-overflow.txt to patch libpng-0.89 through 1.0.5. Does not work with libpng-0.88 and earlier. libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. Use libpng-patch04a-get-uint-31.txt to patch libpng-1.0.5. Use libpng-patch04b-get-uint-31.txt Use to patch libpng-1.0.2 through 1.0.3 Use libpng-patch04c-get-uint-31.txt to patch libpng-1.0.0 through 1.0.1 libpng-patch05-pngpread-chunklength.txt Fixes CERT VU#817368 Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* Use libpng-patch06-pngread-chunklength.txt to patch libpng-1.0.13 Fixes CERT VU#286464 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* Use libpng-patch06a-pngread-chunklength.txt to patch libpng-1.0.0 through 1.0.12, 1.2.0, and 1.2.1. Requires one of libpng-patch04* libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5 Fixes CERT VU#160448, Item 5 of CAN-2004-0599. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* libpng-patch08-splt-buffer-overflow.txt Fixes CERT VU#477512, Item 4 of CAN-2004-0598. Use to patch libpng-1.0.14, 1.0.15, 1.2.4, and 1.2.5 Requires libpng-patch04-* Use libpng-patch08a-splt-buffer-overflow.txt to patch libpng-1.0.6 through 1.0.13, 1.2.0 through 1.2.3. Libpng-1.0.5 and earlier didn't implement sPLT chunk reading. Requires libpng-patch04-* libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5 Fixes CERT VU#236656, CAN-2004-0598. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. libpng-patch10-find-duplicate-chunk.txt No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. libpng-patch11-limit-dimensions.txt This patch avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images having more than one million rows or one milliion columns. Use to patch 1.0.10 through 1.2.5. Use libpng-patch11a-limit-dimensions.txt to patch libpng-0.96 through 1.0.9. Use libpng-patch11b-limit-dimensions.txt to patch libpng-0.95. Use libpng-patch11c-limit-dimensions.txt to patch libpng-0.90. Use libpng-patch11d-limit-dimensions.txt to patch libpng-0.89c.