oCERT-2009-009 CamlImages integer overflows

Description:

CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.

The vulnerability is triggered by PNG image parsing, the read_png_file and read_png_file_as_rgb24 functions do not properly validate the width and height of the image. Specific PNG images with large width and height can be crafted to trigger the vulnerability.

Affected version:

CamlImages <= 2.2, <= 3.0.1

Fixed version:

Upstream incorporated a patch contributed by Richard Jonese of Redhat into their CVS.

Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.

CVE: CVE-2009-2295

Timeline:

2009-05-21: vulnerability reported received
2009-05-21: contacted camlimages maintainers
2009-06-30: due to lack of feedback oCERT asks reporter to disclose the issue
2009-07-01: reporter agrees to disclosure
2009-07-02: assigned CVE
2009-07-02: advisory release
2009-07-03: added 3.0.1 to affected versions
2009-07-04: added contributed patch reference
2009-07-07: path commited to camlimages CVS

References:
http://pauillac.inria.fr/camlimages
http://gallium.inria.fr/camlimages
https://bugzilla.redhat.com/show_bug.cgi?id=509531
http://www.nabble.com/Camlimages-integer-overflows-with-PNG-images-td24321780.html