Vulnerability Note VU#643140

Libpng 1.5.0 png_set_rgb_to_gray() vulnerability

Original Release date: 11 Jan 2011 | Last revised: 03 Feb 2011

Overview

Libpng-1.5.0 introduced a vulnerability in the rgb-to-gray transform function.

Description

Libpng based applications that call the png_set_rgb_to_gray() function from pngrtran.c are vulnerable. Libpng versions prior to 1.5.0 are not vulnerable.

Impact

An attacker may cause the application to crash or execute arbitrary code as the user.

Solution

Apply an Update

Upgrade to version 1.5.1.

Vendor Information (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Glenn Randers-Pehrson for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2011-0408
  • Date Public: 08 Jan 2011
  • Date First Published: 11 Jan 2011
  • Date Last Updated: 03 Feb 2011
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.