Overview
Libpng stalls and consumes large quantities of memory while processing certain Portable Network Graphics (PNG) files.
Description
When processing PNG files containing highly compressed ancillary chunks, the png_decompress_chunk() function in libpng can consume large amounts of CPU time and memory. This resource consumption may hang applications that use libpng. More information is available in the PNG Development Group security advisory and supplementary document, Defending Libpng Applications Against Decompression Bombs. |
Impact
This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service. |
Solution
Upgrade The PNG Development Group has released versions 1.4.1, 1.2.43, and 1.0.53, which provide more efficient decompression of ancillary chunks. This update decreases resource consumption associated with chunk decompression, but may not provide a complete defense unless coupled with appropriate memory limits. |
|
Vendor Information
Internet Initiative Japan, Inc.
Notified: February 16, 2010 Updated: March 02, 2010
Statement Date: February 25, 2010
Status
Not Vulnerable
Vendor Statement
Internet Initiative Japan, Inc. has indicated that it is not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Conectiva Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Cray Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Debian GNU/Linux
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
DragonFly BSD Project
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
EMC Corporation
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Engarde Secure Linux
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
F5 Networks, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fedora Project
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
FreeBSD Project
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fujitsu
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Gentoo Linux
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett-Packard Company
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hitachi
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation (zseries)
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM eServer
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Infoblox
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Juniper Networks, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Mandriva S. A.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
MontaVista Software, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NEC Corporation
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetBSD
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nokia
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Novell, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
OpenBSD
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Openwall GNU/*/Linux
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
QNX Software Systems Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Red Hat, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SUSE Linux
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SafeNet
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Silicon Graphics, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Slackware Linux Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sony Corporation
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sun Microsystems, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
The SCO Group
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Turbolinux
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ubuntu
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Unisys
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Wind River Systems, Inc.
Notified: February 16, 2010 Updated: February 16, 2010
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A |
References
Acknowledgements
This issue was reported by the PNG Development Group
This document was written by David Warren.
Other Information
| CVE IDs: | CVE-2010-0205 |
| Severity Metric: | 0.85 |
| Date Public: | 2010-03-01 |
| Date First Published: | 2010-03-02 |
| Date Last Updated: | 2010-03-02 14:58 UTC |
| Document Revision: | 16 |