Vulnerability Note VU#643140
Libpng 1.5.0 png_set_rgb_to_gray() vulnerability
Overview
Libpng-1.5.0 introduced a vulnerability in the rgb-to-gray transform function.
Description
Libpng based applications that call the png_set_rgb_to_gray() function from pngrtran.c are vulnerable. Libpng versions prior to 1.5.0 are not vulnerable. |
Impact
An attacker may cause the application to crash or execute arbitrary code as the user. |
Solution
Apply an Update Upgrade to version 1.5.1. |
Vendor Information (Learn More)
No information available. If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://sourceforge.net/mailarchive/forum.php?thread_name=002b01cbb0e2%24ae636c80%240b2a4580%24%40acm.org&forum_name=png-mng-implement
- http://libpng.sourceforge.net/
- ftp://ftp.simplesystems.org/pub/png-group/src/libpng-1.5.1beta01-1.5.0-diff.txt
- ftp://ftp.simplesystems.org/pub/png-group/src/libpng-1.5.1beta01-README.txt
Credit
Thanks to Glenn Randers-Pehrson for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2011-0408
- Date Public: 08 Jan 2011
- Date First Published: 11 Jan 2011
- Date Last Updated: 03 Feb 2011
- Document Revision: 18
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.