According to the version of the libpng packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - The png_set_text_2 function in libpng 0.71 before     1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x     before 1.5.28, and 1.6.x before 1.6.27 allows     context-dependent attackers to cause a NULL pointer     dereference vectors involving loading a text chunk into     a png structure, removing the text, and then adding     another text chunk to the structure.(CVE-2016-10087)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New libpng packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.

This update fixes an old NULL pointer dereference bug in png_set_text_2() discovered and patched by Patrick Keshishian (CVE-2016-10087). The potential 'NULL dereference' bug has existed in libpng since version 0.71 of June 26, 1995. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure, which seems to be an unlikely sequence, but it has happened.

The update also fixes some documentation typos and an instance of undefined behavior.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x     before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer     dereference vectors involving loading a text chunk into a png structure, removing the text, and then     adding another text chunk to the structure. (CVE-2016-10087)

Note that Nessus relies on the presence of the package as reported by the vendor.

According to the versions of the syslinux packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x     before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer     dereference vectors involving loading a text chunk into a png structure, removing the text, and then     adding another text chunk to the structure.(CVE-2016-10087)

    The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x     before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds     read) via a large avail_in field value in a PNG image.(CVE-2012-3425)

    The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x     before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application     crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message     data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression.NOTE: this is called an off-     by-one error by some sources.(CVE-2011-2501)

    The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x     before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote     attackers to cause a denial of service (memory corruption and application crash) or possibly have     unspecified other impact via a crafted PNG image that triggers the reading of uninitialized     memory.(CVE-2011-2692)

    The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x     before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME     chunk data in an image file, which triggers an out-of-bounds read.(CVE-2015-7981)

    The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8,     and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string     argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG     image.(CVE-2011-2691)

    Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before     1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand     function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have     unspecified other impact, via a crafted PNG image.(CVE-2011-2690)

    The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before     1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute     arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure     that is not properly handled, leading to a heap-based buffer overflow.(CVE-2011-3048)

    Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used     in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of     service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different     vulnerability than CVE-2011-3026.(CVE-2011-3045)

    Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64,     1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19     allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other     impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.(CVE-2015-8126)

    Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x     before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26     allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image,     which triggers an out-of-bounds read.(CVE-2015-8540)

    Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55,     1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause     a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth     value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2015-8126.(CVE-2015-8472)

    libpng before 1.6.32 does not properly check the length of chunks against the user limit.(CVE-2017-12652)

Tenable has extracted the preceding description block directly from the EulerOS syslinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the syslinux packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

    Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x     before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26     allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image,     which triggers an out-of-bounds read.(CVE-2015-8540)

    Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55,     1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause     a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth     value in an IHDR (aka image header) chunk in a PNG image.  NOTE: this vulnerability exists because of an     incomplete fix for CVE-2015-8126.(CVE-2015-8472)

    Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used     in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of     service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different     vulnerability than CVE-2011-3026.(CVE-2011-3045)

    The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before     1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute     arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure     that is not properly handled, leading to a heap-based buffer overflow.(CVE-2011-3048)

    Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64,     1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19     allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other     impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.(CVE-2015-8126)

    The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x     before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application     crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message     data.  NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-     by-one error by some sources.(CVE-2011-2501)

    The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8,     and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string     argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG     image.(CVE-2011-2691)

    The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x     before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote     attackers to cause a denial of service (memory corruption and application crash) or possibly have     unspecified other impact via a crafted PNG image that triggers the reading of uninitialized     memory.(CVE-2011-2692)

    Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before     1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand     function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have     unspecified other impact, via a crafted PNG image.(CVE-2011-2690)

    The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x     before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME     chunk data in an image file, which triggers an out-of-bounds read.(CVE-2015-7981)

    The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x     before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds     read) via a large avail_in field value in a PNG image.(CVE-2012-3425)

    The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x     before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer     dereference vectors involving loading a text chunk into a png structure, removing the text, and then     adding another text chunk to the structure.(CVE-2016-10087)

    libpng before 1.6.32 does not properly check the length of chunks against the user limit.(CVE-2017-12652)

Tenable has extracted the preceding description block directly from the EulerOS Virtualization syslinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
123591	EulerOS 2.0 SP2 : libpng (EulerOS-SA-2019-1117)	Nessus	Huawei Local Security Checks	4/2/2019	6/6/2024	high
128102	EulerOS 2.0 SP5 : libpng (EulerOS-SA-2019-1810)	Nessus	Huawei Local Security Checks	8/23/2019	5/2/2024	high
96179	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libpng (SSA:2016-365-01)	Nessus	Slackware Local Security Checks	1/3/2017	1/14/2021	high
96353	Fedora 25 : libpng10 (2016-a4b06a036b)	Nessus	Fedora Local Security Checks	1/10/2017	1/11/2021	high
219230	Linux Distros Unpatched Vulnerability : CVE-2016-10087	Nessus	Misc.	3/4/2025	9/4/2025	high
210632	EulerOS 2.0 SP10 : syslinux (EulerOS-SA-2024-2915)	Nessus	Huawei Local Security Checks	11/8/2024	11/8/2024	critical
236925	EulerOS Virtualization 2.12.0 : syslinux (EulerOS-SA-2025-1566)	Nessus	Huawei Local Security Checks	5/17/2025	5/17/2025	critical

Detections

Analytics

Plugins Search

high

high

high

high

high

critical

critical