Mandriva Linux Security Advisory : libpng (MDVSA-2015:090)

critical Nessus Plugin ID 82343

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Updated libpng package fixes security vulnerabilities :

The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero (CVE-2014-0333).

libpng versions 1.6.9 through 1.6.15 have an integer-overflow vulnerability in png_combine_row() when decoding very wide interlaced images, which can allow an attacker to overwrite an arbitrary amount of memory with arbitrary (attacker-controlled) data (CVE-2014-9495).

Solution

Update the affected lib64png-devel and / or lib64png16_16 packages.

See Also

http://advisories.mageia.org/MGASA-2014-0131.html

http://advisories.mageia.org/MGASA-2015-0008.html

Plugin Details

Severity: Critical

ID: 82343

File Name: mandriva_MDVSA-2015-090.nasl

Version: 1.4

Type: local

Published: 3/30/2015

Updated: 1/14/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64png-devel, p-cpe:/a:mandriva:linux:lib64png16_16, cpe:/o:mandriva:business_server:2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 3/28/2015

Reference Information

CVE: CVE-2014-0333, CVE-2014-9495

MDVSA: 2015:090