Executive Summary

Summary
Title libpng off-by-one vulnerability
Informations
Name VU#889484 First vendor Publication 2008-10-02
Vendor VU-CERT Last vendor Modification 2008-10-02
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#889484

libpng off-by-one vulnerability

Overview

A vulnerability exists in libpng that may allow a remote attacker to cause a denial of service.

I. Description

A vulnerability in the way libpng handles files that contain multiple zTXt chunks may cause a denial of service. This vulnerability is due to an off-by-one error introduced in the png_push_read_zTXt() function in libpng-1.2.30/pngpread.c. According to the PNG Development Group:

    Gecko-based applications such as Firefox are not vulnerable because they contain a png_set_keep_unknown_chunks() call that causes the application to ignore the zTXt chunk.


Note that this issue affects libpng versions 1.0.38, 1.0.39, 1.2.30, 1.2.31, and libpng-1.4.0beta.

II. Impact

A remote, unauthorized attacker may be able to cause a denial of service.

III. Solution

Upgrade

The PNG Development Group has issued an upgrade to address this issue. See libpng version 1.2.32 for more information.

Systems Affected

VendorStatusDate NotifiedDate Updated
libpngVulnerable2008-10-02

References


http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624
http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0809180317u6a5306fg14683947affb3e1b%40mail.gmail.com&forum_name=png-mng-implement

Credit

This issue was reported by the PNG Development Group in libpng version 1.2.32.

This document was written by Chris Taschner.

Other Information

Date Public:2008-09-05
Date First Published:2008-10-02
Date Last Updated:2008-10-02
CERT Advisory: 
CVE-ID(s):CVE-2008-3964
NVD-ID(s):CVE-2008-3964
US-CERT Technical Alerts: 
Metric:3.97
Document Revision:7

Original Source

Url : http://www.kb.cert.org/vuls/id/889484

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-193 Off-by-one Error

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 495

OpenVAS Exploits

Date Description
2009-06-05 Name : Ubuntu USN-723-1 (git-core)
File : nvt/ubuntu_723_1.nasl
2009-03-07 Name : Ubuntu USN-730-1 (libpng)
File : nvt/ubuntu_730_1.nasl
2009-03-02 Name : Mandrake Security Advisory MDVSA-2009:051 (libpng)
File : nvt/mdksa_2009_051.nasl
2008-12-23 Name : Gentoo Security Advisory GLSA 200812-15 (povray)
File : nvt/glsa_200812_15.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
48298 libpng pngread.c png_push_read_zTXt() Function Off-By-One

Nessus® Vulnerability Scanner

Date Description
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-051.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-730-1.nasl - Type : ACT_GATHER_INFO
2008-12-15 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200812-15.nasl - Type : ACT_GATHER_INFO
2008-03-04 Name : The remote host is missing Sun Security Patch number 137080-11
File : solaris10_137080.nasl - Type : ACT_GATHER_INFO
2008-03-04 Name : The remote host is missing Sun Security Patch number 137081-11
File : solaris10_x86_137081.nasl - Type : ACT_GATHER_INFO