search menu icon-carat-right cmu-wordmark

CERT Coordination Center

libpng chunk decompression integer overflow vulnerability

Vulnerability Note VU#523889

Original Release Date: 2012-02-23 | Last Revised: 2012-03-02

Overview

The libpng library contains an integer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.

The libpng library contains an integer overflow in the png_decompress_chunk() function, which can result in a buffer overflow.

Impact

By causing libpng to process a specially-crafted PNG file (e.g. by visiting a web page, viewing an email, or opening a document), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the application that uses libpng.

Solution

Apply an update
This issue has been addressed in libpng versions 1.0.57, 1.2.47, 1.4.9, and 1.5.9. Please check with your software vendor for updates that utilize a fixed version of libpng.

Vendor Information

523889
 
Affected   Unknown   Unaffected

Apple Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Apple Mac OS X (e.g. Safari, Mail) uses libpng.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian GNU/Linux

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://security-tracker.debian.org/tracker/CVE-2011-3026

Fedora Project

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3026

Gentoo Linux

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://bugs.gentoo.org/show_bug.cgi?id=CVE-2011-3026

Google

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html

Novell, Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.novell.com/security/cve/CVE-2011-3026.html

Red Hat, Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3026 https://rhn.redhat.com/errata/RHSA-2012-0317.html

SUSE Linux

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.novell.com/security/cve/CVE-2011-3026.html

Slackware Linux Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3026.html

Juniper Networks, Inc.

Notified:  February 23, 2012 Updated:  March 02, 2012

Statement Date:   March 01, 2012

Status

  Not Affected

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  February 23, 2012 Updated:  March 01, 2012

Statement Date:   February 29, 2012

Status

  Not Affected

Vendor Statement

Openwall GNU/*/Linux is not affected. We do not ship libpng.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  February 23, 2012 Updated:  February 23, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 43 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Jüri Aedla for reporting this vulnerability to the Google Chrome team.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2011-3026
Severity Metric: 24.75
Date Public: 2012-02-15
Date First Published: 2012-02-23
Date Last Updated: 2012-03-02 22:24 UTC
Document Revision: 6

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.