Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2010-0205 | First vendor Publication | 2010-03-03 |
Vendor | Cve | Last vendor Modification | 2020-08-07 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12991 | |||
Oval ID: | oval:org.mitre.oval:def:12991 | ||
Title: | USN-913-1 -- libpng vulnerabilities | ||
Description: | It was discovered that libpng did not properly initialize memory when decoding certain 1-bit interlaced images. If a user or automated system were tricked into processing crafted PNG images, an attacker could possibly use this flaw to read sensitive information stored in memory. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. It was discovered that libpng did not properly handle certain excessively compressed PNG images. If a user or automated system were tricked into processing a crafted PNG image, an attacker could possibly use this flaw to consume all available resources, resulting in a denial of service | ||
Family: | unix | Class: | patch |
Reference(s): | USN-913-1 CVE-2009-2042 CVE-2010-0205 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 8.10 Ubuntu 9.10 Ubuntu 6.06 Ubuntu 9.04 | Product(s): | libpng |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13510 | |||
Oval ID: | oval:org.mitre.oval:def:13510 | ||
Title: | DSA-2032-1 libpng -- several | ||
Description: | Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2042 libpng does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialised bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file. CVE-2010-0205 libpng does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service via a crafted PNG file For the stable distribution, these problems have been fixed in version 1.2.27-2+lenny3. For the testing and unstable distribution, these problems have been fixed in version 1.2.43-1 We recommend that you upgrade your libpng package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2032-1 CVE-2009-2042 CVE-2010-0205 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | libpng |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7103 | |||
Oval ID: | oval:org.mitre.oval:def:7103 | ||
Title: | DSA-2032 libpng -- several vulnerabilities | ||
Description: | Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: libpng does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialised bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file. libpng does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service via a crafted PNG file | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2032 CVE-2009-2042 CVE-2010-0205 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | libpng |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-09-07 | Name : Mac OS X v10.6.4 Multiple Vulnerabilities (2010-007) File : nvt/gb_macosx_su10-007.nasl |
2011-08-09 | Name : CentOS Update for libpng CESA-2010:0534 centos5 i386 File : nvt/gb_CESA-2010_0534_libpng_centos5_i386.nasl |
2011-03-09 | Name : Gentoo Security Advisory GLSA 201010-01 (libpng) File : nvt/glsa_201010_01.nasl |
2010-10-01 | Name : VMware Products Security Bypass Vulnerability (Win) -Sep10 File : nvt/secpod_vmware_prdts_sec_bypass_vuln_win_sep10.nasl |
2010-10-01 | Name : VMware Products Security Bypass Vulnerability (Linux) -Sep10 File : nvt/secpod_vmware_prdts_sec_bypass_vuln_lin_sep10.nasl |
2010-08-20 | Name : CentOS Update for libpng10 CESA-2010:0534 centos3 i386 File : nvt/gb_CESA-2010_0534_libpng10_centos3_i386.nasl |
2010-07-23 | Name : Fedora Update for libpng10 FEDORA-2010-10833 File : nvt/gb_fedora_2010_10833_libpng10_fc12.nasl |
2010-07-16 | Name : RedHat Update for libpng RHSA-2010:0534-01 File : nvt/gb_RHSA-2010_0534-01_libpng.nasl |
2010-07-06 | Name : Fedora Update for libpng FEDORA-2010-10592 File : nvt/gb_fedora_2010_10592_libpng_fc12.nasl |
2010-05-04 | Name : FreeBSD Ports: png File : nvt/freebsd_png3.nasl |
2010-04-21 | Name : Debian Security Advisory DSA 2032-1 (libpng) File : nvt/deb_2032_1.nasl |
2010-03-31 | Name : Fedora Update for libpng FEDORA-2010-4673 File : nvt/gb_fedora_2010_4673_libpng_fc12.nasl |
2010-03-31 | Name : Fedora Update for libpng FEDORA-2010-4616 File : nvt/gb_fedora_2010_4616_libpng_fc11.nasl |
2010-03-31 | Name : Mandriva Update for libpng MDVSA-2010:063 (libpng) File : nvt/gb_mandriva_MDVSA_2010_063.nasl |
2010-03-31 | Name : Mandriva Update for libpng MDVSA-2010:064 (libpng) File : nvt/gb_mandriva_MDVSA_2010_064.nasl |
2010-03-22 | Name : Ubuntu Update for libpng vulnerabilities USN-913-1 File : nvt/gb_ubuntu_USN_913_1.nasl |
2010-03-22 | Name : Fedora Update for libpng10 FEDORA-2010-3414 File : nvt/gb_fedora_2010_3414_libpng10_fc11.nasl |
2010-03-22 | Name : Fedora Update for libpng10 FEDORA-2010-3375 File : nvt/gb_fedora_2010_3375_libpng10_fc12.nasl |
2010-02-19 | Name : Mandriva Update for totem MDVA-2010:063 (totem) File : nvt/gb_mandriva_MDVA_2010_063.nasl |
2010-02-19 | Name : Mandriva Update for pptp-linux MDVA-2010:064 (pptp-linux) File : nvt/gb_mandriva_MDVA_2010_064.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
62670 | libpng pngrutil.c png_decompress_chunk Function Ancillary Chunks PNG File Dec... libpng contains a flaw that may allow a remote denial of service. The issue is triggered when the png_decompress_chunk() function in libpng fails to properly decompress certain highly compressed ancillary-chunk data, causing the process to consume large amounts of CPU and memory which may result in loss of availability for the application. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0534.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100714_libpng_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libpng12-0-100319.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libpng-devel-100319.nasl - Type : ACT_GATHER_INFO |
2010-11-10 | Name : The remote host is missing a Mac OS X update that fixes security issues. File : macosx_SecUpd2010-007.nasl - Type : ACT_GATHER_INFO |
2010-11-10 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_5.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libpng-6933.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201010-01.nasl - Type : ACT_GATHER_INFO |
2010-07-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0534.nasl - Type : ACT_GATHER_INFO |
2010-07-16 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0534.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-4683.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-4673.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-4616.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3414.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-3375.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-2988.nasl - Type : ACT_GATHER_INFO |
2010-05-18 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libpng-devel-100318.nasl - Type : ACT_GATHER_INFO |
2010-05-18 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libpng-devel-100318.nasl - Type : ACT_GATHER_INFO |
2010-05-18 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libpng-devel-100318.nasl - Type : ACT_GATHER_INFO |
2010-05-07 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12599.nasl - Type : ACT_GATHER_INFO |
2010-04-21 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_4fb5d2cd4c7711df83fb0015587e2cc1.nasl - Type : ACT_GATHER_INFO |
2010-04-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2032.nasl - Type : ACT_GATHER_INFO |
2010-03-24 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-064.nasl - Type : ACT_GATHER_INFO |
2010-03-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-063.nasl - Type : ACT_GATHER_INFO |
2010-03-17 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-913-1.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2022-02-01 01:07:54 |
|
2021-05-05 01:07:12 |
|
2021-05-04 12:11:56 |
|
2021-04-22 01:12:45 |
|
2020-09-10 01:04:58 |
|
2020-08-07 17:22:40 |
|
2020-05-23 00:25:08 |
|
2017-08-17 09:22:54 |
|
2016-06-28 18:00:23 |
|
2016-04-26 19:31:18 |
|
2014-02-17 10:53:25 |
|
2013-05-10 23:16:39 |
|