Vulnerability Note VU#684664

libpng denial of service vulnerability

Overview

The libpng library contains a denial-of-service vulnerability.

I. Description

The libpng library can be used to allow other applications to render PNG images.

The libpng library contains a denial-of-service vulnerability.

From the Libpng-1.2.16-ADVISORY:

This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited otherwise.

The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans[ ] array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later.

An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted PNG image. The malicious image may be hosted on a website, or sent as an email attachment.

II. Impact

A remote, unauthenticated attacker may be able to create a denial-of-service condition.

III. Solution

Upgrade

The libpng team has released a patch for libpng 1.0.25 and 1.2.17 to address this vulnerability. Administrators are encouraged to upgrade as soon as possible. Administrators who receive the libpng library from their operating system vendor should see the systems affected portion of this document for a list of affected vendors.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Unknown	8-May-2007
Conectiva Inc.	Unknown	8-May-2007
Cray Inc.	Unknown	8-May-2007
Debian GNU/Linux	Vulnerable	8-Jun-2007
EMC, Inc. (formerly Data General Corporation)	Unknown	8-May-2007
Engarde Secure Linux	Unknown	8-May-2007
F5 Networks, Inc.	Unknown	8-May-2007
Fedora Project	Unknown	8-May-2007
FreeBSD, Inc.	Unknown	8-May-2007
Fujitsu	Unknown	8-May-2007
Gentoo Linux	Vulnerable	8-Jun-2007
Hewlett-Packard Company	Unknown	8-May-2007
Hitachi	Unknown	8-May-2007
IBM Corporation	Unknown	8-May-2007
IBM Corporation (zseries)	Unknown	8-May-2007
IBM eServer	Unknown	23-May-2007
Immunix Communications, Inc.	Unknown	8-May-2007
Ingrian Networks, Inc.	Unknown	8-May-2007
Juniper Networks, Inc.	Unknown	8-May-2007
libpng	Vulnerable	16-May-2007
Mandriva, Inc.	Vulnerable	8-Jun-2007
Microsoft Corporation	Unknown	8-May-2007
MontaVista Software, Inc.	Unknown	8-May-2007
Mozilla	Unknown	8-May-2007
NEC Corporation	Unknown	8-May-2007
NetBSD	Unknown	8-May-2007
Nokia	Unknown	8-May-2007
Novell, Inc.	Unknown	8-May-2007
OpenBSD	Unknown	8-May-2007
Openwall GNU/*/Linux	Unknown	8-May-2007
QNX, Software Systems, Inc.	Unknown	8-May-2007
Red Hat, Inc.	Vulnerable	18-May-2007
Silicon Graphics, Inc.	Unknown	8-May-2007
Slackware Linux Inc.	Unknown	8-May-2007
Sony Corporation	Unknown	8-May-2007
Sun Microsystems, Inc.	Vulnerable	22-Aug-2007
SUSE Linux	Vulnerable	13-Jul-2007
The SCO Group	Unknown	8-May-2007
Trustix Secure Linux	Unknown	8-May-2007
Turbolinux	Unknown	8-May-2007
Ubuntu	Vulnerable	13-Jun-2007
Unisys	Unknown	8-May-2007
Wind River Systems, Inc.	Unknown	8-May-2007

References

http://sourceforge.net/project/showfiles.php?group_id=5624
http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/l/li/libpng/libpng-1.2.17-ADVISORY.txt
http://secunia.com/advisories/25292/
http://secunia.com/advisories/25353/
http://secunia.com/advisories/25742/

Credit

Thanks to the libpng team for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public	05/16/2007
Date First Published	05/16/2007 01:46:37 PM
Date Last Updated	08/22/2007
CERT Advisory
CVE Name	CVE-2007-2445
US-CERT Technical Alerts
Metric	3.86
Document Revision	21

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader