Resource management error in cosmin OptiPNG
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Resource management error
EUVDB-ID: #VU43452
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2012-4432
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Use-after-free vulnerability in opngreduc.c in OptiPNG Hg and 0.7.x before 0.7.3 might allow remote attackers to execute arbitrary code via unspecified vectors related to "palette reduction."
MitigationInstall update from vendor's website.
Vulnerable software versionsOptiPNG: hg - 0.7.2
CPE2.3- cpe:2.3:a:cosmin:optipng:hg:*:*:*:*:*:*:*
- cpe:2.3:a:cosmin:optipng:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:cosmin:optipng:0.7.1:*:*:*:*:*:*:*
https://optipng.hg.sourceforge.net/hgweb/optipng/optipng/rev/f1d5d44670a2
https://optipng.sourceforge.net/
https://secunia.com/advisories/50654
https://sourceforge.net/news/?group_id=151404
https://www.openwall.com/lists/oss-security/2012/09/17/5
https://www.openwall.com/lists/oss-security/2012/09/18/2
https://www.securityfocus.com/bid/55566
https://exchange.xforce.ibmcloud.com/vulnerabilities/78743
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
