Bug Id
SUNBUG: 6745161, SUNBUG: 6755267, SUNBUG: 6813939

Date of Workaround Release
28-May-2009

Security Vulnerability in Solaris libpng(3) May Allow Denial of Service (DoS) or Privilege Escalation

1. Impact

Multiple security vulnerabilities in libpng(3), which is shipped with Solaris, may allow a local or remote unprivileged user to cause a Denial of Service (DoS) of applications linked to libpng(3), or potentially to execute arbitrary code with the privileges of the user running the application, when a user has loaded a specially crafted Portable Network Graphics (PNG) format image file (.png) supplied by an untrusted user.

These issues are also referenced in the following documents:

CVE-2007-5267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5267
CVE-2008-3964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964
CVE-2007-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266
CVE-2007-5268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268
CVE-2007-5269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
CVE-2008-1382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382
CVE-2009-0040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040
CERT VU#649212 http://www.kb.cert.org/vuls/id/649212

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

• GNOME 2.0 (for Solaris 8)
• Solaris 9 without patch 139382-02 and 114822-06
• Solaris 10 without patch 137080-03
• OpenSolaris builds snv_01 through snv_112

x86 Platform

• GNOME 2.0 (for Solaris 8)
• Solaris 9 without patch 139383-02
• Solaris 10 without patch 137081-03
• OpenSolaris builds snv_01 through snv_112

Note 1: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived.

The base build can be derived as follows:

 $ uname -v
 snv_101

Note 2: To determine if an application has a dynamic dependency on the libpng(3) library, the ldd(1) utility can be used, for example:

 $ ldd /bin/evince | grep libpng
 libpng12.so.0 => /usr/lib/libpng12.so.0

However, some applications may use libpng(3) but not report libpng as a dynamic dependency with ldd(1) if the library is loaded by dlopen(3C). Therefore, to display all shared objects used by an application, pldd(1) should be used against the running process:

 $ pldd <pid of application> | grep libpng
 /usr/lib/libpng12.so.0.18.0

3. Symptoms

If the described issues are exploited to cause a Denial of Service (DoS), the application which links to the libpng(3) library will exit and may generate an error message about a Segmentation Fault, possibly writing a core(4) file.

There are no predictable symptoms which would indicate that these issues have been exploited to execute arbitrary code.

4. Workaround

There is no workaround which would prevent these issues from being exploited, therefore it is advisable not to load images from untrusted sources with any affected applications until the Resolution for these issues is in place.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 9 with patch 139382-02 or later or 114822-06 or later
• Solaris 10 with patch 137080-03 or later
• OpenSolaris based upon builds snv_113 or later
  

x86 Platform

• Solaris 9 with patch 139383-02 or later
• Solaris 10 with patch 137081-03 or later
• OpenSolaris based upon builds snv_113 or later
  

Note that for Solaris 10 the issues referred to as CVE-2007-5267, CVE-2008-3964, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269, and CVE-2008-1382 are resolved in patches 137080-02 and 137081-02 and later revisions.

A final resolution is pending completion for Solaris 8.

For more information on Security Sun Alerts, see 1009886.1

Product
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris


Modification History
07-Jun-2010: Updated for Solaris 9 patches released
10-Nov-2010: Updated to correct BugID 6745161

References

137080-03
137081-03

References

SUNPATCH:137080-03
SUNPATCH:137081-03



Attachments

This solution has no attachment