The Portable Network Graphics library (libpng) contains a flaw that could introduce a remotely exploitable vulnerability.
The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.
A potentially insufficient bounds check error exists within the png_handle_sBIT() function. A similar error exists in the png_handle_hIST() function. While the code that contains these errors could potentially permit a buffer overflow to occur during a subsequent png_crc_read() operation, it is unclear what practical vulnerabilities they might present in applications using libpng.
The complete impact of this vulnerability is not yet known.
Apply a patch from the vendor
Microsoft Corporation Affected
Trustix Secure Linux Affected
Juniper Networks Not Affected
NEC Corporation Not Affected
Apple Computer Inc. Unknown
Cray Inc. Unknown
Hewlett-Packard Company Unknown
IBM eServer Unknown
Ingrian Networks Unknown
MontaVista Software Unknown
Openwall GNU/*/Linux Unknown
Red Hat Inc. Unknown
Sony Corporation Unknown
SuSE Inc. Unknown
Sun Microsystems Inc. Unknown
Wind River Systems Inc. Unknown
eMC Corporation Unknown
Thanks to Chris Evans for reporting this vulnerability.
This document was written by Chad Dougherty and Damon Morda.
|Date First Published:||2004-08-04|
|Date Last Updated:||2005-06-14 20:57 UTC|