SB2011011805 - Input validation error in libpng
Published: January 18, 2011 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2011-0408)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- ftp://ftp.simplesystems.org/pub/png-group/src/libpng-1.5.1beta01-1.5.0-diff.txt
- ftp://ftp.simplesystems.org/pub/png-group/src/libpng-1.5.1beta01-README.txt
- http://osvdb.org/70417
- http://secunia.com/advisories/42863
- http://securitytracker.com/id?1024955
- http://sourceforge.net/mailarchive/forum.php?thread_name=002b01cbb0e2%24ae636c80%240b2a4580%24%40acm.org&forum_name=png-mng-implement
- http://www.kb.cert.org/vuls/id/643140
- http://www.vupen.com/english/advisories/2011/0080
- https://exchange.xforce.ibmcloud.com/vulnerabilities/64637