SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#388984

libpng fails to properly check length of transparency chunk (tRNS) data

Overview

The Portable Network Graphics library (libpng) contains a remotely exploitable vulnerability, which could lead to arbitrary code execution on an affected system.

I. Description

The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.

According to the PNG Chunk Specification, PNG images contain a series of chunks including the IHDR, IDAT, and IEND chunks. In addition to these required chunks, a PNG image may contain one or more optional chunks. The optional tRNS chunk is responsible for specifying images that use simple transparency. There are several components of the tRNS chunk. If the PLTE block is not present in a tRNS chunk, a logic error in the code responsible for validating the data segments of the tRNS chunk may lead to a buffer overflow condition.

The buffer overflow vulnerability occurs in the png_handle_tRNS() function, which is responsible for ensuring that PNG images are formatted properly. When processing malformed PNG images, this function may fail to properly validate the length of the transparency chunk (tRNS) data.

Multiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways.

Please note that this vulnerability is known to exist in Microsoft Windows Messenger and MSN Messenger. Please see MS05-009 for more details. For information regarding how this vulnerability affects Microsoft Internet Explorer, refer to MS05-025.

II. Impact

By introducing a malformed PNG image to a vulnerable application, a remote attacker could cause the application to crash or potentially execute arbitrary code with the privileges of the current user.

III. Solution

Apply a patch from the vendor


Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Vulnerable17-May-2005
BSDIUnknown23-Jul-2004
ConectivaUnknown23-Jul-2004
Cray Inc.Unknown23-Jul-2004
DebianUnknown23-Jul-2004
eMC CorporationUnknown23-Jul-2004
EngardeUnknown23-Jul-2004
FreeBSDUnknown23-Jul-2004
FujitsuUnknown23-Jul-2004
GentooVulnerable20-Aug-2004
Hewlett-Packard CompanyUnknown23-Jul-2004
HitachiUnknown23-Jul-2004
IBMUnknown30-Jul-2004
IBM-zSeriesUnknown23-Jul-2004
IBM eServerUnknown23-Jul-2004
IMmunixUnknown23-Jul-2004
Ingrian NetworksUnknown23-Jul-2004
Juniper NetworksNot Vulnerable27-Jul-2004
libpng.orgVulnerable4-Aug-2004
MandrakeSoftUnknown23-Jul-2004
Microsoft CorporationVulnerable14-Jun-2005
MontaVista SoftwareVulnerable4-Aug-2004
NEC CorporationNot Vulnerable2-Aug-2004
NETBSDUnknown23-Jul-2004
NokiaUnknown23-Jul-2004
NovellUnknown23-Jul-2004
OpenPKGVulnerable20-Aug-2004
Openwall GNU/*/LinuxUnknown23-Jul-2004
Red Hat Inc.Unknown27-Jul-2004
ScOUnknown23-Jul-2004
SequentUnknown23-Jul-2004
SGIUnknown23-Jul-2004
SlackwareVulnerable20-Aug-2004
Sony CorporationUnknown23-Jul-2004
Sun Microsystems Inc.Unknown23-Jul-2004
SuSE Inc.Vulnerable27-Jul-2004
Trustix Secure LinuxVulnerable20-Aug-2004
TurboLinuxUnknown23-Jul-2004
uNisysUnknown23-Jul-2004
Wind River Systems Inc.Unknown23-Jul-2004

References


http://scary.beasts.org/security/CESA-2004-001.txt
http://www.libpng.org/pub/png/
http://libpng.sourceforge.net/
http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html
http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx

Credit

Thanks to Chris Evans for reporting this vulnerability.

This document was written by Chad Dougherty and Damon Morda.

Other Information

Date Public08/04/2004
Date First Published08/04/2004 11:58:10 AM
Date Last Updated06/14/2005
CERT Advisory 
CVE NameCAN-2004-0597
US-CERT Technical Alerts 
Metric20.11
Document Revision37

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader