Notified: July 16, 2004 Updated: June 01, 2005
APPLE-SA-2004-09-09 Mac OS X 10.3.5 Mac OS X 10.3.5 is now available and delivers security enhancements
for the following components: Component: libpng (Portable Network Graphics)
CVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597,
Impact: Malicious png images can cause application crashes and could
execute arbitrary code Description: A number of buffer overflows, null pointer dereferences
and integer overflows have been discovered in the reference library
for reading and writing PNG images. These vulnerabilities have been
corrected in libpng which is used by the CoreGraphics and AppKit
frameworks in Mac OS X. After installing this update, applications
that use the PNG image format via these frameworks will be protected
against these flaws. Note: The libpng security fixes are also available separately for Mac
OS X 10.3.4 and Mac OS X 10.2.8 via Security Update 2004-08-09. Mac OS X 10.3.5 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.