Package: syslinux Severity: important Tags: security I have been working on a tool called Clonewise to automatically identify embedded code copies in Debian packages and determine if they are out of date and vulnerable. Ideally, embedding code and libraries should be avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt* *The syslinux package reported potential issues appended to this message. The analysis tries to justify why it believes a library or code is embedded in the package and if the relationship is not already being tracked by Debian in the embedded-code-copies database it shows the files that are shared between the two pieces of software. Apologies if these are false positives. Your help in advising me on whether these issues are real will help me improve the analysis for the future. -- Silvio Cesare Deakin University ### Summary: ### libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2010-0205 libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2010-1205 libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2010-2249 libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-0408 libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-2501 libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-2691 libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-2692 libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-3328 ### Reports by package: ### # Package syslinux may be vulnerable to the following issues: # CVE-2010-0205 CVE-2010-1205 CVE-2010-2249 CVE-2011-0408 CVE-2011-2501 CVE-2011-2691 CVE-2011-2692 CVE-2011-3328 # SUMMARY: The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. # # CVE-2010-0205 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngrutil.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2010-0205 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915) # SUMMARY: Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row. # # CVE-2010-1205 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngpread.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2010-1205 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915) # SUMMARY: Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks. # # CVE-2010-2249 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngrutil.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2010-2249 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915) # SUMMARY: pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information. # # CVE-2011-0408 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngrtran.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-0408 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915) # SUMMARY: The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. # # CVE-2011-2501 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngerror.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-2501 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915) # SUMMARY: The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image. # # CVE-2011-2691 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngerror.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-2691 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915) # SUMMARY: The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory. # # CVE-2011-2692 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngrutil.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-2692 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915) # SUMMARY: The png_handle_cHRM function in pngrutil.c in libpng 1.5.4, when color-correction support is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a malformed PNG image containing a cHRM chunk associated with a certain zero value. # # CVE-2011-3328 relates to a vulnerability in package libpng. # The following source filenames are likely responsible: # pngrutil.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # libpng CLONED_IN_SOURCE syslinux <unfixed> CVE-2011-3328 MATCH example.c/example.c (4.547585) MATCH png.c/png.c (5.367624) MATCH pngerror.c/pngerror.c (6.409078) MATCH pnggccrd.c/pnggccrd.c (6.814543) MATCH pngget.c/pngget.c (6.442979) MATCH pngmem.c/pngmem.c (6.409078) MATCH pngpread.c/pngpread.c (6.478071) MATCH pngrio.c/pngrio.c (6.442979) MATCH pngrtran.c/pngrtran.c (6.442979) MATCH pngrutil.c/pngrutil.c (6.442979) MATCH pngtest.c/pngtest.c (6.977062) MATCH pngtrans.c/pngtrans.c (6.376288) MATCH pngvcrd.c/pngvcrd.c (6.814543) MATCH pngwrite.c/pngwrite.c (6.283915)
