The remote host is affected by the vulnerability described in GLSA-201701-74 (libpng: Remote execution of arbitrary code)

    A NULL pointer dereference was discovered in libpng in the       png_push_save_buffer function.  In order to be vulnerable, an application       has to load a text chunk into the PNG structure, then delete all text,       then add another text chunk to the same PNG structure, which seems to be       an unlikely sequence, but it is possible.
  Impact :

    A remote attacker, by enticing a user to process a specially crafted PNG       file, could execute arbitrary code with the privileges of the process.
  Workaround :

    There is no known workaround at this time.

This update for libpng16 fixes the following issues: Security issues fixed :

  - CVE-2016-10087: NULL pointer dereference in     png_set_text_2() (bsc#1017646)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Update to upstream release **1.5.28**.

  - Fixes **CVE-2016-10087**.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libpng12 fixes the following issues :

Security issues fixed :

  - CVE-2015-8540: read underflow in libpng (bsc#958791)

  - CVE-2016-10087: NULL pointer dereference in     png_set_text_2() (bsc#1017646)

This update was imported from the SUSE:SLE-12:Update update project.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3712-1 advisory.

    Patrick Keshishian discovered that libpng incorrectly handled certain PNG files. An attacker could     possibly use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04     LTS. (CVE-2016-10087)

    Thuan Pham discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use     this to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS.
    (CVE-2018-13785)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the syslinux packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x     before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26     allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image,     which triggers an out-of-bounds read.(CVE-2015-8540)

    Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55,     1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause     a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth     value in an IHDR (aka image header) chunk in a PNG image.  NOTE: this vulnerability exists because of an     incomplete fix for CVE-2015-8126.(CVE-2015-8472)

    Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used     in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of     service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different     vulnerability than CVE-2011-3026.(CVE-2011-3045)

    The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before     1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute     arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure     that is not properly handled, leading to a heap-based buffer overflow.(CVE-2011-3048)

    Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64,     1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19     allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other     impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.(CVE-2015-8126)

    The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x     before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application     crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message     data.  NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-     by-one error by some sources.(CVE-2011-2501)

    The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8,     and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string     argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG     image.(CVE-2011-2691)

    The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x     before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote     attackers to cause a denial of service (memory corruption and application crash) or possibly have     unspecified other impact via a crafted PNG image that triggers the reading of uninitialized     memory.(CVE-2011-2692)

    Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before     1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand     function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have     unspecified other impact, via a crafted PNG image.(CVE-2011-2690)

    The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x     before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME     chunk data in an image file, which triggers an out-of-bounds read.(CVE-2015-7981)

    The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x     before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds     read) via a large avail_in field value in a PNG image.(CVE-2012-3425)

    The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x     before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer     dereference vectors involving loading a text chunk into a png structure, removing the text, and then     adding another text chunk to the structure.(CVE-2016-10087)

    libpng before 1.6.32 does not properly check the length of chunks against the user limit.(CVE-2017-12652)

Tenable has extracted the preceding description block directly from the EulerOS syslinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the unbound packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original     software developer, NLnet Labs) falls within the expected functionality and security controls of the     application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs     has no further information about the claim, and suggests that affected Red Hat customers refer to     available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A heap-buffer-overflow flaw was     found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption.
    This issue could allow an attacker with local access to provide specially crafted input, potentially     causing the application to crash or allowing arbitrary code execution. This could result in a denial of     service or unauthorized actions on the system.(CVE-2024-43168)

    NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with     very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very     large RRsets can cause Unbound to spend a considerable time applying name compression to downstream     replies. This can lead to degraded performance and eventually denial of service in well orchestrated     attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially     crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will     try to apply name compression which was an unbounded operation that could lock the CPU until the whole     packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression     calculations it is willing to do per packet. Packets that need more compression will result in semi-     compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long.
    This change should not affect normal DNS traffic.(CVE-2024-8508)

    The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource     consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later     sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the 'DNSBomb'     issue.(CVE-2024-33655)

Tenable has extracted the preceding description block directly from the EulerOS unbound security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
96860	GLSA-201701-74 : libpng: Remote execution of arbitrary code	Nessus	Gentoo Local Security Checks	1/30/2017	1/11/2021	high
99085	SUSE SLED12 / SLES12 Security Update : libpng16 (SUSE-SU-2017:0853-1)	Nessus	SuSE Local Security Checks	3/30/2017	1/6/2021	high
99319	Fedora 24 : libpng15 (2017-66fd940572)	Nessus	Fedora Local Security Checks	4/13/2017	1/6/2021	high
99211	openSUSE Security Update : libpng12 (openSUSE-2017-441)	Nessus	SuSE Local Security Checks	4/6/2017	1/19/2021	high
111040	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : libpng vulnerabilities (USN-3712-1)	Nessus	Ubuntu Local Security Checks	7/12/2018	9/3/2025	high
212600	EulerOS 2.0 SP12 : syslinux (EulerOS-SA-2024-2958)	Nessus	Huawei Local Security Checks	12/12/2024	12/12/2024	critical
212639	EulerOS 2.0 SP11 : unbound (EulerOS-SA-2024-2973)	Nessus	Huawei Local Security Checks	12/12/2024	12/12/2024	critical

Detections

Analytics

Plugins Search

high

high

high

high

high

critical

critical