oCERT-2009-009 CamlImages integer overflows
Description:
CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.
The vulnerability is triggered by PNG image parsing, the read_png_file and read_png_file_as_rgb24 functions do not properly validate the width and height of the image. Specific PNG images with large width and height can be crafted to trigger the vulnerability.
Affected version:
CamlImages <= 2.2, <= 3.0.1
Fixed version:
Upstream incorporated a patch contributed by Richard Jonese of Redhat into their CVS.
Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.
CVE: CVE-2009-2295
Timeline:
2009-05-21: vulnerability reported received
2009-05-21: contacted camlimages maintainers
2009-06-30: due to lack of feedback oCERT asks reporter to disclose the issue
2009-07-01: reporter agrees to disclosure
2009-07-02: assigned CVE
2009-07-02: advisory release
2009-07-03: added 3.0.1 to affected versions
2009-07-04: added contributed patch reference
2009-07-07: path commited to camlimages CVS
References:
http://pauillac.inria.fr/camlimages
http://gallium.inria.fr/camlimages
https://bugzilla.redhat.com/show_bug.cgi?id=509531
http://www.nabble.com/Camlimages-integer-overflows-with-PNG-images-td24321780.html