Denial of service in libpng

Published: 2019-01-16 | Updated: 2019-04-18

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-6129 CVE-2019-7317
CWE-ID	CWE-401 CWE-416
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software Subscribe	libpng Universal components / Libraries / Libraries used by multiple products
Vendor	libpng

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

UPDATED: 18.04.2019

Changed patch availability status to Patched.

1) Memory leak

EUVDB-ID: #VU17017

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-6129

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in png_create_info_struct in png.c. A remote attacker can trigger memory leak and perform denial of service attack.

Mitigation

Update to the latest version.

Vulnerable software versions

libpng: 1.6.36

External links

http://github.com/glennrp/libpng/issues/269

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Use-after-free

EUVDB-ID: #VU17708

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7317

CWE-ID: CWE-416 - Use After Free