SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#576029

libpng stalls on highly compressed ancillary chunks

Overview

Libpng stalls and consumes large quantities of memory while processing certain Portable Network Graphics (PNG) files.

I. Description

When processing PNG files containing highly compressed ancillary chunks, the png_decompress_chunk() function in libpng can consume large amounts of CPU time and memory. This resource consumption may hang applications that use libpng. More information is available in the PNG Development Group security advisory and supplementary document, Defending Libpng Applications Against Decompression Bombs.

II. Impact

This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service.

III. Solution

Upgrade

The PNG Development Group has released versions 1.4.1, 1.2.43, and 1.0.53, which provide more efficient decompression of ancillary chunks. This update decreases resource consumption associated with chunk decompression, but may not provide a complete defense unless coupled with appropriate memory limits.

Set limits on memory usage and number of cached ancillary chunks

Libpng provides functions to limit memory consumption and number of cached ancillary chunks. Applications that use libpng should use these functions to set appropriate limits. Please see defense #2 in the document Defending Libpng Applications Against Decompression Bombs for more information.

Disable Ancillary Chunk Decoding
Developers who build versions of libpng can choose to ignore ancillary chunks by defining specific preprocessor macros. Please see defense #3 in the document Defending Libpng Applications Against Decompression Bombs for more information.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Inc.Unknown2010-02-162010-02-16
Conectiva Inc.Unknown2010-02-162010-02-16
Cray Inc.Unknown2010-02-162010-02-16
Debian GNU/LinuxUnknown2010-02-162010-02-16
DragonFly BSD ProjectUnknown2010-02-162010-02-16
EMC CorporationUnknown2010-02-162010-02-16
Engarde Secure LinuxUnknown2010-02-162010-02-16
F5 Networks, Inc.Unknown2010-02-162010-02-16
Fedora ProjectUnknown2010-02-162010-02-16
FreeBSD ProjectUnknown2010-02-162010-02-16
FujitsuUnknown2010-02-162010-02-16
Gentoo LinuxUnknown2010-02-162010-02-16
Hewlett-Packard CompanyUnknown2010-02-162010-02-16
HitachiUnknown2010-02-162010-02-16
IBM CorporationUnknown2010-02-162010-02-16
IBM Corporation (zseries)Unknown2010-02-162010-02-16
IBM eServerUnknown2010-02-162010-02-16
InfobloxUnknown2010-02-162010-02-16
Internet Initiative Japan, Inc.Not Vulnerable2010-02-162010-03-02
Juniper Networks, Inc.Unknown2010-02-162010-02-16
Mandriva S. A.Unknown2010-02-162010-02-16
Microsoft CorporationUnknown2010-02-162010-02-16
MontaVista Software, Inc.Unknown2010-02-162010-02-16
NEC CorporationUnknown2010-02-162010-02-16
NetBSDUnknown2010-02-162010-02-16
NokiaUnknown2010-02-162010-02-16
Novell, Inc.Unknown2010-02-162010-02-16
OpenBSDUnknown2010-02-162010-02-16
Openwall GNU/*/LinuxUnknown2010-02-162010-02-16
QNX Software Systems Inc.Unknown2010-02-162010-02-16
Red Hat, Inc.Unknown2010-02-162010-02-16
SafeNetUnknown2010-02-162010-02-16
Silicon Graphics, Inc.Unknown2010-02-162010-02-16
Slackware Linux Inc.Unknown2010-02-162010-02-16
Sony CorporationUnknown2010-02-162010-02-16
Sun Microsystems, Inc.Unknown2010-02-162010-02-16
SUSE LinuxUnknown2010-02-162010-02-16
The SCO GroupUnknown2010-02-162010-02-16
TurbolinuxUnknown2010-02-162010-02-16
UbuntuUnknown2010-02-162010-02-16
UnisysUnknown2010-02-162010-02-16
Wind River Systems, Inc.Unknown2010-02-162010-02-16

References

http://libpng.sourceforge.net/ADVISORY-1.4.1.html
http://libpng.sourceforge.net/decompression_bombs.html

Credit

This issue was reported by the PNG Development Group.

This document was written by David Warren.

Other Information

Date Public:2010-03-01
Date First Published:2010-03-02
Date Last Updated:2010-03-02
CERT Advisory: 
CVE-ID(s):CVE-2010-0205
NVD-ID(s):CVE-2010-0205
US-CERT Technical Alerts: 
Metric:0.85
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2010 by US-CERT, a government organization
Disclaimers and copyright information
Get a PDF Reader