Heap-based buffer overflow in libpng (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2011-3048 |
| CWE-ID | CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
libpng (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Heap-based buffer overflow
EUVDB-ID: #VU32812
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-3048
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10. A remote attacker can use a crafted text chunk in a PNG image file to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionslibpng (Alpine package): 1.4.8-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=1fdf0d9fa74d664730e80ac8792b252ef66ef9ea
https://git.alpinelinux.org/aports/commit/?id=2295d86e6d036331f4e08006888dc9a548d955f7
https://git.alpinelinux.org/aports/commit/?id=144ec79fac763cd2cf39fdb77e5aa9d107079e04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
