SB2011071701 - Multiple vulnerabilities in libpng
Published: July 17, 2011 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2011-2501)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression.
2) Buffer overflow (CVE-ID: CVE-2011-2690)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.
3) NULL pointer dereference (CVE-ID: CVE-2011-2691)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.
4) Buffer overflow (CVE-ID: CVE-2011-2692)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.
Remediation
Install update from vendor's website.
References
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=65e6d5a34f49acdb362a0625a706c6b914e670af
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062720.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063118.html
- http://secunia.com/advisories/45046
- http://secunia.com/advisories/45289
- http://secunia.com/advisories/45405
- http://secunia.com/advisories/45415
- http://secunia.com/advisories/45460
- http://secunia.com/advisories/45486
- http://secunia.com/advisories/45492
- http://secunia.com/advisories/49660
- http://security.gentoo.org/glsa/glsa-201206-15.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.617466
- http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement
- http://www.debian.org/security/2011/dsa-2287
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:151
- http://www.openwall.com/lists/oss-security/2011/06/27/13
- http://www.openwall.com/lists/oss-security/2011/06/28/16
- http://www.redhat.com/support/errata/RHSA-2011-1105.html
- http://www.securityfocus.com/bid/48474
- http://www.ubuntu.com/usn/USN-1175-1
- https://bugzilla.redhat.com/show_bug.cgi?id=717084
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68517
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
- http://secunia.com/advisories/45461
- http://support.apple.com/kb/HT5002
- http://www.libpng.org/pub/png/libpng.html
- http://www.openwall.com/lists/oss-security/2011/07/13/2
- http://www.redhat.com/support/errata/RHSA-2011-1104.html
- http://www.securityfocus.com/bid/48660
- https://bugzilla.redhat.com/show_bug.cgi?id=720607
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68538
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=9dad5e37aef295b4ef8dea39392b652deebc9261
- http://marc.info/?l=bugtraq&m=133951357207000&w=2
- https://bugzilla.redhat.com/show_bug.cgi?id=720608
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68537
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://secunia.com/advisories/45445
- http://sourceforge.net/mailarchive/forum.php?thread_name=003101cc2790%24fb5d6e80%24f2184b80%24%40acm.org&forum_name=png-mng-implement
- http://support.apple.com/kb/HT5281
- http://www.kb.cert.org/vuls/id/819894
- http://www.redhat.com/support/errata/RHSA-2011-1103.html
- http://www.securityfocus.com/bid/48618
- https://bugzilla.redhat.com/show_bug.cgi?id=720612
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68536