SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#160448

libpng integer overflow in image height processing

Overview

The Portable Network Graphics library (libpng) contains a remotely exploitable vulnerability which could cause affected applications to crash.

I. Description

The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.

An integer overflow error exists in the handling of PNG image height within the png_read_png() function. As a result, a PNG image with excessive height may cause an integer overflow on a memory allocation and could cause the affected application to crash.

Multiple applications support the PNG image format including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways.

II. Impact

An attacker could cause a vulnerable application to crash by supplying a specially-crafted PNG image. Vulnerable applications that read images from network sources could be exploited remotely.

III. Solution

Apply a patch from the vendor


Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Vulnerable4-Aug-2004
BSDIUnknown23-Jul-2004
ConectivaUnknown23-Jul-2004
Cray Inc.Unknown23-Jul-2004
DebianUnknown23-Jul-2004
eMC CorporationUnknown23-Jul-2004
EngardeUnknown23-Jul-2004
FreeBSDUnknown23-Jul-2004
FujitsuUnknown23-Jul-2004
Hewlett-Packard CompanyUnknown23-Jul-2004
HitachiUnknown23-Jul-2004
IBMNot Vulnerable4-Aug-2004
IBM-zSeriesUnknown23-Jul-2004
IBM eServerUnknown23-Jul-2004
IMmunixUnknown23-Jul-2004
Ingrian NetworksUnknown23-Jul-2004
Juniper NetworksNot Vulnerable23-Jul-2004
libpng.orgVulnerable4-Aug-2004
MandrakeSoftUnknown23-Jul-2004
Microsoft CorporationUnknown23-Jul-2004
MontaVista SoftwareVulnerable4-Aug-2004
NEC CorporationNot Vulnerable3-Aug-2004
NETBSDUnknown23-Jul-2004
NokiaUnknown23-Jul-2004
NovellUnknown23-Jul-2004
Openwall GNU/*/LinuxUnknown23-Jul-2004
Red Hat Inc.Unknown23-Jul-2004
SCOUnknown23-Jul-2004
SequentUnknown23-Jul-2004
SGIUnknown23-Jul-2004
Sony CorporationUnknown23-Jul-2004
Sun Microsystems Inc.Unknown23-Jul-2004
SuSE Inc.Unknown23-Jul-2004
TurboLinuxUnknown23-Jul-2004
UnisysUnknown23-Jul-2004
Wind River Systems Inc.Unknown23-Jul-2004

References

http://scary.beasts.org/security/CESA-2004-001.txt
http://www.libpng.org/pub/png/
http://libpng.sourceforge.net/

Credit

Thanks to Chris Evans for reporting this vulnerability.

This document was written by Chad Dougherty and Damon Morda.

Other Information

Date Public:2004-08-04
Date First Published:2004-08-04
Date Last Updated:2004-08-04
CERT Advisory: 
CVE-ID(s):CAN-2004-0599
NVD-ID(s):CAN-2004-0599
US-CERT Technical Alerts: 
Metric:0.97
Document Revision:9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader