Vulnerability Note VU#576029

libpng stalls on highly compressed ancillary chunks

Original Release date: 02 Mar 2010 | Last revised: 02 Mar 2010

Overview

Libpng stalls and consumes large quantities of memory while processing certain Portable Network Graphics (PNG) files.

Description

When processing PNG files containing highly compressed ancillary chunks, the png_decompress_chunk() function in libpng can consume large amounts of CPU time and memory. This resource consumption may hang applications that use libpng. More information is available in the PNG Development Group security advisory and supplementary document, Defending Libpng Applications Against Decompression Bombs.

Impact

This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service.

Solution

Upgrade

The PNG Development Group has released versions 1.4.1, 1.2.43, and 1.0.53, which provide more efficient decompression of ancillary chunks. This update decreases resource consumption associated with chunk decompression, but may not provide a complete defense unless coupled with appropriate memory limits.

Set limits on memory usage and number of cached ancillary chunks

Libpng provides functions to limit memory consumption and number of cached ancillary chunks. Applications that use libpng should use these functions to set appropriate limits. Please see defense #2 in the document Defending Libpng Applications Against Decompression Bombs for more information.


Disable Ancillary Chunk Decoding
Developers who build versions of libpng can choose to ignore ancillary chunks by defining specific preprocessor macros. Please see defense #3 in the document Defending Libpng Applications Against Decompression Bombs for more information.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Internet Initiative Japan, Inc.Not Affected16 Feb 201002 Mar 2010
Apple Inc.Unknown16 Feb 201016 Feb 2010
Conectiva Inc.Unknown16 Feb 201016 Feb 2010
Cray Inc.Unknown16 Feb 201016 Feb 2010
Debian GNU/LinuxUnknown16 Feb 201016 Feb 2010
DragonFly BSD ProjectUnknown16 Feb 201016 Feb 2010
EMC CorporationUnknown16 Feb 201016 Feb 2010
Engarde Secure LinuxUnknown16 Feb 201016 Feb 2010
F5 Networks, Inc.Unknown16 Feb 201016 Feb 2010
Fedora ProjectUnknown16 Feb 201016 Feb 2010
FreeBSD ProjectUnknown16 Feb 201016 Feb 2010
FujitsuUnknown16 Feb 201016 Feb 2010
Gentoo LinuxUnknown16 Feb 201016 Feb 2010
Hewlett-Packard CompanyUnknown16 Feb 201016 Feb 2010
HitachiUnknown16 Feb 201016 Feb 2010
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was reported by the PNG Development Group.

This document was written by David Warren.

Other Information

  • CVE IDs: CVE-2010-0205
  • Date Public: 01 Mar 2010
  • Date First Published: 02 Mar 2010
  • Date Last Updated: 02 Mar 2010
  • Severity Metric: 0.85
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.