Executive Summary

Summary
Title libpng malformed cHRM divide-by-zero vulnerability
Informations
Name VU#477046 First vendor Publication 2011-09-22
Vendor VU-CERT Last vendor Modification 2011-09-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Cvss Base Score 2.6 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#477046

libpng malformed cHRM divide-by-zero vulnerability

Overview

libpng crashes when processing malformed cHRM chunks.

I. Description

When libpng encounters a cHRM chunk that is malformed it will perform a divide-by-zero causing libpng to crash. This bug was introduced in libpng version 1.5.4 and has been fixed in libpng version 1.5.5.

II. Impact

By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.

The PNG Development Group has stated that: Such malformed PNG files are not necessarily malevolent (ones have been observed on the Internet that were created by accident) but they will cause a crash anyway.

III. Solution

Apply an Update

This vulnerability is addressed in the following libpng versions: libpng-1.5.5

The PNG Development Group recommends upgrading to libpng-1.5.5. However, if you must continue to use libpng-1.5.4, you can apply the following patch to libpng-1.5.4:

--- a/libpng/pngrutil.c
+++ b/libpng/pngrutil.c
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop
info_ptr, png_uint_32 length)
*/
png_uint_32 w = y_red + y_green + y_blue;

- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
- 32768)/w);
+ if (w != 0)
+ {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
+ 32768)/w);
+ }
}
}
#endif

Vendor Information


According to The PNG Development Group: Those that use a "system" libpng that happens to be libpng-1.5.4 are vulnerable to a divide-by-zero crash. Mozilla products that use the embedded libpng are not vulnerable.
VendorStatusDate NotifiedDate Updated
libpngAffected2011-09-22

References


http://libpng.sf.net/index.html
ftp://ftp.simplesystems.org/pub/png/src
https://sourceforge.net/tracker/index.php?func=detail&aid=3406145&group_id=5624&atid=105624

Credit

Thanks to Glenn Randers-Pehrson of the PNG Development Group for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2011-09-22
Date First Published:2011-09-22
Date Last Updated:2011-09-23
CERT Advisory: 
CVE-ID(s):CVE 2011-3328
NVD-ID(s):CVE 2011-3328
US-CERT Technical Alerts: 
Severity Metric:0.06
Document Revision:15

Original Source

Url : http://www.kb.cert.org/vuls/id/477046

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2012-05-18 Name : Mac OS X Multiple Vulnerabilities (2012-002)
File : nvt/gb_macosx_su12-002.nasl
2012-02-06 Name : Mac OS X Multiple Vulnerabilities (2012-001)
File : nvt/gb_macosx_su12-001.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
75676 libpng libpng/pngrutil.c png_handle_cHRM() Function cHRM Chunk PNG File Handl...

Nessus® Vulnerability Scanner

Date Description
2012-09-27 Name : The remote device is affected by multiple vulnerabilities.
File : appletv_5_1.nasl - Type : ACT_GATHER_INFO
2012-05-10 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_SecUpd2012-002.nasl - Type : ACT_GATHER_INFO
2012-02-02 Name : The remote host is missing a Mac OS X update that fixes several security vuln...
File : macosx_10_7_3.nasl - Type : ACT_GATHER_INFO