Vulnerability Note VU#388984
libpng fails to properly check length of transparency chunk (tRNS) data
The Portable Network Graphics library (libpng) contains a remotely exploitable vulnerability, which could lead to arbitrary code execution on an affected system.
The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.
According to the PNG Chunk Specification, PNG images contain a series of chunks including the IHDR, IDAT, and IEND chunks. In addition to these required chunks, a PNG image may contain one or more optional chunks. The optional tRNS chunk is responsible for specifying images that use simple transparency. There are several components of the tRNS chunk. If the PLTE block is not present in a tRNS chunk, a logic error in the code responsible for validating the data segments of the tRNS chunk may lead to a buffer overflow condition.
By introducing a malformed PNG image to a vulnerable application, a remote attacker could cause the application to crash or potentially execute arbitrary code with the privileges of the current user.
Apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||16 Jul 2004||17 May 2005|
|Gentoo||Affected||-||20 Aug 2004|
|libpng.org||Affected||16 Jul 2004||04 Aug 2004|
|Microsoft Corporation||Affected||16 Jul 2004||14 Jun 2005|
|MontaVista Software||Affected||16 Jul 2004||04 Aug 2004|
|OpenPKG||Affected||-||20 Aug 2004|
|Slackware||Affected||-||20 Aug 2004|
|SuSE Inc.||Affected||16 Jul 2004||27 Jul 2004|
|Trustix Secure Linux||Affected||-||20 Aug 2004|
|Juniper Networks||Not Affected||16 Jul 2004||27 Jul 2004|
|NEC Corporation||Not Affected||16 Jul 2004||02 Aug 2004|
|BSDI||Unknown||-||23 Jul 2004|
|Conectiva||Unknown||-||23 Jul 2004|
|Cray Inc.||Unknown||-||23 Jul 2004|
|Debian||Unknown||-||23 Jul 2004|
CVSS Metrics (Learn More)
Thanks to Chris Evans for reporting this vulnerability.
This document was written by Chad Dougherty and Damon Morda.
- CVE IDs: CAN-2004-0597
- Date Public: 04 Aug 2004
- Date First Published: 04 Aug 2004
- Date Last Updated: 14 Jun 2005
- Severity Metric: 20.11
- Document Revision: 37
If you have feedback, comments, or additional information about this vulnerability, please send us email.