Resource management error in OptiPNG - CVE-2012-4432
Published: October 1, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43452
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-4432
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: cosmin
Affected software:
OptiPNG
OptiPNG
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Use-after-free vulnerability in opngreduc.c in OptiPNG Hg and 0.7.x before 0.7.3 might allow remote attackers to execute arbitrary code via unspecified vectors related to "palette reduction."
How to mitigate CVE-2012-4432
Install update from vendor's website.
Sources
- http://optipng.hg.sourceforge.net/hgweb/optipng/optipng/rev/f1d5d44670a2
- http://optipng.sourceforge.net/
- http://secunia.com/advisories/50654
- http://sourceforge.net/news/?group_id=151404
- http://www.openwall.com/lists/oss-security/2012/09/17/5
- http://www.openwall.com/lists/oss-security/2012/09/18/2
- http://www.securityfocus.com/bid/55566
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78743