search menu icon-carat-right cmu-wordmark

CERT Coordination Center

libpng stalls on highly compressed ancillary chunks

Vulnerability Note VU#576029

Original Release Date: 2010-03-02 | Last Revised: 2010-03-02

Overview

Libpng stalls and consumes large quantities of memory while processing certain Portable Network Graphics (PNG) files.

Description

When processing PNG files containing highly compressed ancillary chunks, the png_decompress_chunk() function in libpng can consume large amounts of CPU time and memory. This resource consumption may hang applications that use libpng. More information is available in the PNG Development Group security advisory and supplementary document, Defending Libpng Applications Against Decompression Bombs.

Impact

This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service.

Solution

Upgrade

The PNG Development Group has released versions 1.4.1, 1.2.43, and 1.0.53, which provide more efficient decompression of ancillary chunks. This update decreases resource consumption associated with chunk decompression, but may not provide a complete defense unless coupled with appropriate memory limits.

Set limits on memory usage and number of cached ancillary chunks

Libpng provides functions to limit memory consumption and number of cached ancillary chunks. Applications that use libpng should use these functions to set appropriate limits. Please see defense #2 in the document Defending Libpng Applications Against Decompression Bombs for more information.


Disable Ancillary Chunk Decoding
Developers who build versions of libpng can choose to ignore ancillary chunks by defining specific preprocessor macros. Please see defense #3 in the document Defending Libpng Applications Against Decompression Bombs for more information.

Vendor Information

576029
 

Internet Initiative Japan, Inc. Not Affected

Notified:  February 16, 2010 Updated: March 02, 2010

Statement Date:   February 25, 2010

Status

Not Affected

Vendor Statement

Internet Initiative Japan, Inc. has indicated that it is not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  February 16, 2010 Updated: February 16, 2010

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 42 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was reported by the PNG Development Group.

This document was written by David Warren.

Other Information

CVE IDs: CVE-2010-0205
Severity Metric: 0.85
Date Public: 2010-03-01
Date First Published: 2010-03-02
Date Last Updated: 2010-03-02 14:58 UTC
Document Revision: 17

Sponsored by CISA.