http://libpng.sourceforge.net/index.html

SUSE-SR:2009:003

[oss-security] 20090109 libpng non issue

34320

34388

GLSA-200903-28

[png-mng-implement] 20081126 Memory overwriting bug in png_check_keyword()

DSA-1750

MDVSA-2009:051

libpng-pngcheckkeyword-memory-corruption(48128)

The remote host is affected by the vulnerability described in GLSA-201412-08 (Multiple packages, Multiple vulnerabilities fixed in 2010)

    Vulnerabilities have been discovered in the packages listed below.
      Please review the CVE identifiers in the Reference section for details.
      Insight       Perl Tk Module       Source-Navigator       Tk       Partimage       Mlmmj       acl       Xinit       gzip       ncompress       liblzw       splashutils       GNU M4       KDE Display Manager       GTK+       KGet       dvipng       Beanstalk       Policy Mount       pam_krb5       GNU gv       LFTP       Uzbl       Slim       Bitdefender Console       iputils       DVBStreamer   Impact :

    A context-dependent attacker may be able to gain escalated privileges,       execute arbitrary code, cause Denial of Service, obtain sensitive       information, or otherwise bypass security restrictions.
  Workaround :

    There are no known workarounds at this time.

This update of libpng fixes the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0.
(CVE-2008-5907)

It was discovered that libpng did not properly perform bounds checking in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng. This issue only affected Ubuntu 8.04 LTS. (CVE-2007-5268, CVE-2007-5269)

Tavis Ormandy discovered that libpng did not properly initialize memory. If a user or automated system were tricked into opening a crafted PNG image, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue did not affect Ubuntu 8.10. (CVE-2008-1382)

Harald van Dijk discovered an off-by-one error in libpng. An attacker could could cause an application crash in programs using pngtest.
(CVE-2008-3964)

It was discovered that libpng did not properly NULL terminate a keyword string. An attacker could exploit this to set arbitrary memory locations to zero. (CVE-2008-5907)

Glenn Randers-Pehrson discovered that libpng did not properly initialize pointers. If a user or automated system were tricked into opening a crafted PNG file, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0040).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A number of vulnerabilities have been found and corrected in libpng :

Fixed 1-byte buffer overflow in pngpread.c (CVE-2008-3964). This was allready fixed in Mandriva Linux 2009.0.

Fix the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0 (CVE-2008-5907).

Fix a potential DoS (Denial of Service) or to potentially compromise an application using the library (CVE-2009-0040).

The updated packages have been patched to prevent this.

Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-2445     The png_handle_tRNS function allows attackers to cause a     denial of service (application crash) via a grayscale     PNG image with a bad tRNS chunk CRC value.

  - CVE-2007-5269     Certain chunk handlers allow attackers to cause a denial     of service (crash) via crafted pCAL, sCAL, tEXt, iTXt,     and ztXT chunking in PNG images, which trigger     out-of-bounds read operations.

  - CVE-2008-1382     libpng allows context-dependent attackers to cause a     denial of service (crash) and possibly execute arbitrary     code via a PNG file with zero length 'unknown' chunks,     which trigger an access of uninitialized memory.

  - CVE-2008-5907     The png_check_keyword might allow context-dependent     attackers to set the value of an arbitrary memory     location to zero via vectors involving creation of     crafted PNG files with keywords.

  - CVE-2008-6218     A memory leak in the png_handle_tEXt function allows     context-dependent attackers to cause a denial of service     (memory exhaustion) via a crafted PNG file.

  - CVE-2009-0040     libpng allows context-dependent attackers to cause a     denial of service (application crash) or possibly     execute arbitrary code via a crafted PNG file that     triggers a free of an uninitialized pointer in (1) the     png_read_png function, (2) pCAL chunk handling, or (3)     setup of 16-bit gamma tables.

The remote host is affected by the vulnerability described in GLSA-200903-28 (libpng: Multiple vulnerabilities)

    Multiple vulnerabilities were discovered in libpng:
    A     memory leak bug was reported in png_handle_tEXt(), a function that is     used while reading PNG images (CVE-2008-6218).
    A memory     overwrite bug was reported by Jon Foster in png_check_keyword(), caused     by writing overlong keywords to a PNG file (CVE-2008-5907).
    A     memory corruption issue, caused by an incorrect handling of an out of     memory condition has been reported by Tavis Ormandy of the Google     Security Team. That vulnerability affects direct uses of     png_read_png(), pCAL chunk and 16-bit gamma table handling     (CVE-2009-0040).
  Impact :

    A remote attacker may execute arbitrary code with the privileges of the     user opening a specially crafted PNG file by exploiting the erroneous     out-of-memory handling. An attacker may also exploit the     png_check_keyword() error to set arbitrary memory locations to 0, if     the application allows overlong, user-controlled keywords when writing     PNG files. The png_handle_tEXT() vulnerability may be exploited by an     attacker to potentially consume all memory on a users system when a     specially crafted PNG file is opened.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
79961	GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010	Nessus	Gentoo Local Security Checks	critical
41546	SuSE 10 Security Update : libpng (ZYPP Patch Number 5945)	Nessus	SuSE Local Security Checks	medium
41270	SuSE9 Security Update : libpng, libpng-devel (YOU Patch Number 12339)	Nessus	SuSE Local Security Checks	medium
40263	openSUSE Security Update : libpng-devel (libpng-devel-455)	Nessus	SuSE Local Security Checks	medium
40037	openSUSE Security Update : libpng-devel (libpng-devel-455)	Nessus	SuSE Local Security Checks	medium
37042	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : libpng vulnerabilities (USN-730-1)	Nessus	Ubuntu Local Security Checks	high
36671	Mandriva Linux Security Advisory : libpng (MDVSA-2009:051)	Nessus	Mandriva Local Security Checks	medium
35988	Debian DSA-1750-1 : libpng - several vulnerabilities	Nessus	Debian Local Security Checks	high
35929	GLSA-200903-28 : libpng: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
35553	openSUSE 10 Security Update : libpng (libpng-5944)	Nessus	SuSE Local Security Checks	medium

CVE-2008-5907

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

medium

medium

medium

medium

high

medium

high

high

medium