search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Libpng 1.5.0 png_set_rgb_to_gray() vulnerability

Vulnerability Note VU#643140

Original Release Date: 2011-01-11 | Last Revised: 2011-02-03

Overview

Libpng-1.5.0 introduced a vulnerability in the rgb-to-gray transform function.

Description

Libpng based applications that call the png_set_rgb_to_gray() function from pngrtran.c are vulnerable. Libpng versions prior to 1.5.0 are not vulnerable.

Impact

An attacker may cause the application to crash or execute arbitrary code as the user.

Solution

Apply an Update

Upgrade to version 1.5.1.

Vendor Information

No information available at this time.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Glenn Randers-Pehrson for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2011-0408
Date Public: 2011-01-08
Date First Published: 2011-01-11
Date Last Updated: 2011-02-03 19:23 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.