Vulnerabilities > CVE-2002-0728 - Unspecified vulnerability in Greg Roelofs Libpng 1.0.14/1.2.4

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
greg-roelofs
nessus

Summary

Buffer overflow in the progressive reader for libpng 1.2.x before 1.2.4, and 1.0.x before 1.0.14, allows attackers to cause a denial of service (crash) via a PNG data stream that has more IDAT data than indicated by the IHDR chunk.

Vulnerable Configurations

Part Description Count
Application
Greg_Roelofs
2

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-140.NASL
    descriptionDevelopers of the PNG library have fixed a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications which could potentially allow an attacker to execute malicious code. Programs such as Galeon, Konqueror and various others make use of these libraries. In addition to that, the packages below fix another potential buffer overflow. The PNG libraries implement a safety margin which is also included in a newer upstream release. Thanks to Glenn Randers-Pehrson for informing us. To find out which packages depend on this library, you may want to execute the following commands : apt-cache showpkg libpng2 apt-cache showpkg libpng3
    last seen2020-06-01
    modified2020-06-02
    plugin id14977
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14977
    titleDebian DSA-140-2 : libpng - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-140. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14977);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2002-0660", "CVE-2002-0728");
      script_xref(name:"DSA", value:"140");
    
      script_name(english:"Debian DSA-140-2 : libpng - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Developers of the PNG library have fixed a buffer overflow in the
    progressive reader when the PNG datastream contains more IDAT data
    than indicated by the IHDR chunk. Such deliberately malformed
    datastreams would crash applications which could potentially allow an
    attacker to execute malicious code. Programs such as Galeon, Konqueror
    and various others make use of these libraries.
    
    In addition to that, the packages below fix another potential buffer
    overflow. The PNG libraries implement a safety margin which is also
    included in a newer upstream release. Thanks to Glenn Randers-Pehrson
    for informing us.
    
    To find out which packages depend on this library, you may want to
    execute the following commands :
    
        apt-cache showpkg libpng2 apt-cache showpkg libpng3"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-140"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the libpng packages immediately and restart programs and
    daemons that link to these libraries and read external data, such as
    web browsers.
    
    This problem has been fixed in version 1.0.12-3.woody.2 of libpng and
    version 1.2.1-1.1.woody.2 of libpng3 for the current stable
    distribution (woody) and in version 1.0.12-4 of libpng and version
    1.2.1-2 of libpng3 for the unstable distribution (sid). The potato
    release of Debian does not seem to be vulnerable."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpng");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpng3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/08/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"libpng-dev", reference:"1.2.1-1.1.woody.2")) flag++;
    if (deb_check(release:"3.0", prefix:"libpng2", reference:"1.0.12-3.woody.2")) flag++;
    if (deb_check(release:"3.0", prefix:"libpng2-dev", reference:"1.0.12-3.woody.2")) flag++;
    if (deb_check(release:"3.0", prefix:"libpng3", reference:"1.2.1-1.1.woody.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-049.NASL
    descriptionA buffer overflow was found in the in the progressive reader of the PNG library when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. These deliberately malformed datastreams would crash applications thus potentially allowing an attacker to execute malicious code. Many programs make use of the PNG libraries, including web browsers. This overflow is corrected in versions 1.0.14 and 1.2.4 of the PNG library. In order to have the system utilize the upgraded packages after the upgrade, you must restart all running applications that are linked to libpng. You can obtain this list by executing
    last seen2020-06-01
    modified2020-06-02
    plugin id13952
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13952
    titleMandrake Linux Security Advisory : libpng (MDKSA-2002:049)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:049. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13952);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-0728");
      script_xref(name:"MDKSA", value:"2002:049");
    
      script_name(english:"Mandrake Linux Security Advisory : libpng (MDKSA-2002:049)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A buffer overflow was found in the in the progressive reader of the
    PNG library when the PNG datastream contains more IDAT data than
    indicated by the IHDR chunk. These deliberately malformed datastreams
    would crash applications thus potentially allowing an attacker to
    execute malicious code. Many programs make use of the PNG libraries,
    including web browsers. This overflow is corrected in versions 1.0.14
    and 1.2.4 of the PNG library.
    
    In order to have the system utilize the upgraded packages after the
    upgrade, you must restart all running applications that are linked to
    libpng. You can obtain this list by executing 'lsof|grep libpng' or
    'fuser -v /usr/lib/libpng.so'."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"ftp://swrinde.nde.swri.edu/pub/png-group/archives/png-list.200207"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpng");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpng-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpng2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpng2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpng3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpng3-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpng3-static-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/08/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"libpng-1.0.5-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"libpng-devel-1.0.5-2.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"libpng-1.0.8-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"libpng-devel-1.0.8-2.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"libpng2-1.0.9-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"libpng2-devel-1.0.9-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libpng2-1.0.12-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libpng2-devel-1.0.12-2.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpng3-1.2.4-3.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpng3-devel-1.2.4-3.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpng3-static-devel-1.2.4-3.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-152.NASL
    descriptionUpdated libpng packages are available that fix a buffer overflow vulnerability. The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. PNG is a bit-mapped graphics format similar to the GIF format. Versions of libpng prior to 1.0.14 contain a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications linked to libpng such as Mozilla that use the progressive reading feature. Packages within Red Hat Linux Advanced Server , such as Mozilla, make use of the shared libpng library, therefore all users are advised to upgrade to the errata packages which contain libpng 1.0.14. Libpng 1.0.14 is not vulnerable to this issue and contains fixes for other bugs including a number of memory leaks.
    last seen2020-06-01
    modified2020-06-02
    plugin id12313
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12313
    titleRHEL 2.1 : libpng (RHSA-2002:152)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2002:152. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12313);
      script_version ("1.25");
      script_cvs_date("Date: 2019/10/25 13:36:09");
    
      script_cve_id("CVE-2002-0660", "CVE-2002-0728");
      script_xref(name:"RHSA", value:"2002:152");
    
      script_name(english:"RHEL 2.1 : libpng (RHSA-2002:152)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated libpng packages are available that fix a buffer overflow
    vulnerability.
    
    The libpng package contains a library of functions for creating and
    manipulating PNG (Portable Network Graphics) image format files. PNG
    is a bit-mapped graphics format similar to the GIF format.
    
    Versions of libpng prior to 1.0.14 contain a buffer overflow in the
    progressive reader when the PNG datastream contains more IDAT data
    than indicated by the IHDR chunk. Such deliberately malformed
    datastreams would crash applications linked to libpng such as Mozilla
    that use the progressive reading feature.
    
    Packages within Red Hat Linux Advanced Server , such as Mozilla, make
    use of the shared libpng library, therefore all users are advised to
    upgrade to the errata packages which contain libpng 1.0.14. Libpng
    1.0.14 is not vulnerable to this issue and contains fixes for other
    bugs including a number of memory leaks."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0660"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0728"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2002:152"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libpng and / or libpng-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpng");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpng-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2002/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2002:152";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libpng-1.0.14-0.7x.3")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libpng-devel-1.0.14-0.7x.3")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng / libpng-devel");
      }
    }
    

Redhat

advisories
rhsa
idRHSA-2002:152