Headline
CVE-2020-35511: pngcheck Home Page
A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.
pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs, a.k.a. checksums, and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.
Here’s some sample output (screen shots, eh?):
% **pngcheck -cvt ArcTriomphe-iCCP-red-blue-swap.png**
File: **ArcTriomphe-iCCP-red-blue-swap.png** (5171 bytes)
chunk IHDR at offset 0x0000c, length 13
64 x 64 image, 8-bit colormap, non-interlaced
chunk iCCP at offset 0x00025, length 461
profile name = Swapped red & blue channel
compression method = 0 (deflate), compressed profile = 433 bytes
chunk PLTE at offset 0x001fe, length 759: 253 palette entries
chunk IDAT at offset 0x00501, length 3616
zlib: deflated, 32K window, default compression
chunk tEXt at offset 0x0132d, length 68, keyword: Title
PNG color-correction test image, swapped red and blue channels
chunk tEXt at offset 0x0137d, length 143, keyword: Copyright
Copyright 2005 Greg Roelofs. Licensed under Creative Commons
AttributionNonCommercial, http://creativecommons.org/licenses/by-nc/2.5/
chunk tIME at offset 0x01418, length 7: 16 Aug 2005 07:07:07 GMT
chunk IEND at offset 0x0142b, length 0
**No errors detected** in ArcTriomphe-iCCP-red-blue-swap.png (8 chunks, -26.2% compression).
% **pngcheck -c \*.png**
**OK**: 000000.png (48x48, 1-bit grayscale, non-interlaced, 71.2%).
**OK**: 000033.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
**OK**: 000066.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
**OK**: 000099.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
\[...\]
**OK**: ffff66.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
**OK**: ffff99.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
**OK**: ffffcc.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
**OK**: ffffff.png (48x48, 1-bit grayscale, non-interlaced, 70.1%).
ataylor-bad-text-length.png illegal (unless recently approved) unknown, public chunk xORk
**ERROR**: ataylor-bad-text-length.png
google-island-96x69.png zlib: inflate error = -3 (data error)
**ERROR**: google-island-96x69.png
Errors were detected in 2 of the 218 files tested.
No errors were detected in 216 of the 218 files tested.
Vulnerability Warning
pngcheck versions 3.0.2 and earlier have a divide-by-zero bug when zlib-decoding interlaced PNGs with extra data beyond what is required for the declared image dimensions. This bug is fixed in version 3.0.3, released on 25 April 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.
The current release supports all PNG, MNG and JNG chunks, including the newer sTER (stereo layout) and eXIf (EXIF metadata) chunks. It correctly reports errors in all but two of the images in Chris Nokleberg’s brokensuite-20061204. Also included (since version 2.1.0) are two helper utilities:
- pngsplit - break a PNG, MNG or JNG image into constituent chunks (numbered for easy reassembly)
- png-fix-IDAT-windowsize - fix minor zlib-header breakage caused by libpng 1.2.6
The extra utilities are licensed under the GNU General Public License (GPL); pngcheck itself remains under its original, MIT/X11-style license.
Security and Crash Bugs in Older Versions
Vulnerability Warning
pngcheck versions 3.0.1 and earlier have a buffer-overrun bug related to the MNG LOOP chunk (which gets noticed even in PNG files if the -s option is used). This bug is fixed in version 3.0.2, released on 31 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.
Vulnerability Warning
pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the -s option is used). Both bugs are fixed in version 3.0.1, released on 24 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.
Vulnerability Warning
pngcheck versions 2.4.0 and earlier have a number of buffer-overrun bugs, most (but not all) of which are related to the -f option (“force continued parsing after major errors”). As such, the option has been removed altogether in version 3.0.0 (which is the reason for the major-version bump), released on 12 December 2020. All known vulnerabilities are fixed in this version, but the code is pretty crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.
- PNG home page
- MNG home page
Last updated 22 August 2021.
Copyright © 2000-2021 Greg Roelofs.
Related news
Ubuntu Security Notice 6182-1 - It was discovered that pngcheck incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Debian Linux Security Advisory 5300-1 - Multiple security issues were discovered in pngcheck, a tool to verify the integrity of PNG, JNG and MNG files, which could potentially result in the execution of arbitrary code.