Bug 27658 - pngcheck new security issue rhbz#1897485 (CVE-2020-27818)
Summary: pngcheck new security issue rhbz#1897485 (CVE-2020-27818)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-23 22:20 CET by David Walser
Modified: 2020-12-07 22:27 CET (History)
4 users (show)

See Also:
Source RPM: pngcheck-2.4.0-1.mga8.src.rpm
CVE:
Status comment: assigned

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Aurelien Oudelet 2020-11-25 18:31:27 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => zen25000
Keywords: (none) => Triaged

Comment 2 Barry Jackson 2020-11-26 00:50:09 CET 
Fixed in Cauldron.

The patch does apply and it builds for Mga7.

I have no idea if it affects Mga7, but seems logical that it does, so I will push it to updates testing after a quick functional test. Tomorrow :)
Comment 3 Barry Jackson 2020-11-26 00:53:41 CET 
I just noticed that the original Fedora bug was against 2.3 so yes it does need fixing in Mga7 as well.
Barry Jackson 2020-11-26 00:55:01 CET

Status comment: (none) => assigned

Comment 4 Barry Jackson 2020-11-26 21:25:06 CET 
pngcheck-2.3.0-4.1.mga7 has peen pushed to 7/core/updates_testing

#####################
Advisory

This update fixes a potential global buffer overflow in
the check_chunk_name function via a crafted png file.

#####################
References

Fedora issued an advisory on November 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KYWBUK3C43TIX3DXS26JX2XEVJSRXJDN/

The issue was fixed in this commit:
https://src.fedoraproject.org/rpms/pngcheck/c/cc48791e34201caf7b686084b735d06cef66c974?branch=master

####################
Files affected

pngcheck-2.3.0-4.1.mga7.i586
pngcheck-debuginfo-2.3.0-4.1.mga7.i586
pngcheck-debugsource-2.3.0-4.1.mga7.i586

pngcheck-2.3.0-4.1.mga7.x86_64
pngcheck-debuginfo-2.3.0-4.1.mga7.x86_64
pngcheck-debugsource-2.3.0-4.1.mga7.x86_64

Provided by:

pngcheck-2.3.0-4.1.mga7.src.rpm


####################
Testing

A set of good and faulty .png files are available here:

http://www.schaik.com/pngsuite/PngSuite-2017jul19.tgz
(Extract to a new folder there are a lot!)

The bad ones names all start with 'x' quite interesting ;)

Whiteboard: (none) => MGA7TOO

Barry Jackson 2020-11-26 21:27:34 CET

Assignee: zen25000 => qa-bugs

David Walser 2020-11-26 22:35:02 CET

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => zen25000

Comment 5 Len Lawrence 2020-11-27 11:32:32 CET 
MGA7, x64

Installed pngcheck and the image test suite.
$ rpm -q pngcheck
pngcheck-2.3.0-4.mga7

Tested some of the provided images in batches with `pngcheck -7` and display.
$ display xs2n0g01.png
display: improper image header `xs2n0g01.png' @ error/png.c/ReadPNGImage/4288.
$ pngcheck -7 xs2n0g01.png
File: xs2n0g01.png (164 bytes)
xs2n0g01.png  this is neither a PNG or JNG image nor a MNG stream
ERROR: xs2n0g01.png

[ 1 ] Bug #1897485 - Private bug
        https://bugzilla.redhat.com/show_bug.cgi?id=1897485

So we are not going to find a reproducer.

Ran update.
$ rpm -q pngcheck
pngcheck-2.3.0-4.1.mga7

Test all images quietly - only report bad images:
$ pngcheck -q *.pngcm7n0g04.png  invalid tIME year (1970)
ERROR: cm7n0g04.png
exif2c08.png  illegal (unless recently approved) unknown, public chunk eXIf
ERROR: exif2c08.png
xc1n0g08.png  invalid IHDR image type (1)
ERROR: xc1n0g08.png
xc9n2c08.png  invalid IHDR image type (9)
ERROR: xc9n2c08.png
xcrn0g04.png:  CORRUPTED by text conversion
ERROR: xcrn0g04.png
xcsn0g01.png  CRC error in chunk IDAT (computed d02f14c9, expected 4353554d)
ERROR: xcsn0g01.png
xd0n2c08.png  invalid IHDR sample depth (0)
ERROR: xd0n2c08.png
xd3n2c08.png  invalid IHDR sample depth (3)
ERROR: xd3n2c08.png
xd9n2c08.png  invalid IHDR sample depth (99)
[...]

This should find embedded PNG images in other files:
$ pngcheck -s *
OK: basi0g01-1 (32x32, 1-bit grayscale, interlaced, 100.0%).
OK: basi0g02-1 (32x32, 2-bit grayscale, interlaced, 98.4%).
OK: basi0g04-1 (32x32, 4-bit grayscale, interlaced, 99.2%).
......
xcsn0g01-1  CRC error in chunk IDAT (computed d02f14c9, expected 4353554d)
xd0n2c08-1  invalid IHDR sample depth (0)
xd3n2c08-1  invalid IHDR sample depth (3)
xd9n2c08-1  invalid IHDR sample depth (99)
OK: xdtn0g01-1 (32x32, 1-bit grayscale, non-interlaced, 96.9%).
xhdn0g08-1  CRC error in chunk IHDR (computed 56112528, expected 4353554d)
OK: z00n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%).
OK: z03n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%).
OK: z06n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%).
OK: z09n2c08-1 (32x32, 24-bit RGB, non-interlaced, 99.9%).

No errors were detected in 179 of the 179 files tested.

We are probably not supposed to believe that last line - it may mean "no embedded images detected".  ???

$ pngcheck -p tp*.png
File: tp0n0g08.png (719 bytes)
OK: tp0n0g08.png (32x32, 8-bit grayscale, non-interlaced, 29.8%).

File: tp0n2c08.png (1594 bytes)
OK: tp0n2c08.png (32x32, 24-bit RGB, non-interlaced, 48.1%).

File: tp0n3p08.png (1476 bytes)
  PLTE chunk: 245 palette entries
      0:  ( 20, 20,109) = (0x14,0x14,0x6d)
      1:  (128, 86, 86) = (0x80,0x56,0x56)
      2:  (181,181,184) = (0xb5,0xb5,0xb8)
      3:  (168, 66, 66) = (0xa8,0x42,0x42)
      4:  (159,159,159) = (0x9f,0x9f,0x9f)
      5:  (177, 32, 32) = (0xb1,0x20,0x20)
[....]
    242:  ( 10, 10, 96) = (0x0a,0x0a,0x60)
    243:  (  0,  0,255) = (0x00,0x00,0xff)
    244:  (191,125,125) = (0xbf,0x7d,0x7d)
  tRNS chunk: 1 transparency entry
    0:    0 = 0x00
OK: tp1n3p08.png (32x32, 8-bit palette+trns, non-interlaced, -44.8%).

No errors were detected in 4 of the 4 files tested.

$ pngcheck -f x*.png
xc1n0g08.png  invalid IHDR image type (1)
ERROR: xc1n0g08.png
xc9n2c08.png  invalid IHDR image type (9)
xc9n2c08.png  private (invalid?) IDAT row-filter type (255) (warning)
xc9n2c08.png  private (invalid?) IDAT row-filter type (255) (warning)
[....]
xlfn0g04.png:  CORRUPTED by text conversion
ERROR: xlfn0g04.png
xs1n0g01.png:  CORRUPTED by text conversion
ERROR: xs1n0g01.png
xs2n0g01.png  this is neither a PNG or JNG image nor a MNG stream
ERROR: xs2n0g01.png
OK: xs4n0g01.png (32x32, 1-bit grayscale, non-interlaced, -28.1%).
xs7n0g01.png:  CORRUPTED by text conversion
ERROR: xs7n0g01.png

Errors were detected in 13 of the 14 files tested.
No errors were detected in 1 of the 14 files tested.

No obvious regressions in all this.  Giving this a 64-bit OK.

CC: (none) => tarazed25

Len Lawrence 2020-11-27 11:32:57 CET

Whiteboard: (none) => MGA7-64-OK

Comment 6 Aurelien Oudelet 2020-12-01 10:13:32 CET 
Validating update.
Advisory pushed to SVN.

Keywords: Triaged => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 7 Mageia Robot 2020-12-03 10:56:03 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0444.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 David Walser 2020-12-07 22:27:48 CET 
This is CVE-2020-27818:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6X67BQ55SUAPPGYOKAMOSKREWWBB3IML/

Summary: pngcheck new security issue rhbz#1897485 => pngcheck new security issue rhbz#1897485 (CVE-2020-27818)
Note You need to log in before you can comment on or make changes to this bug.