Vulnerabilities > CVE-2004-0421 - Out-of-bounds Read vulnerability in multiple products

The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.

Vulnerable Configurations

Part	Description	Count
Application	Openpkg Openpkg Openpkg 2.0 Openpkg Openpkg 1.3	2
Application	Libpng Libpng Libpng 1.2.2 Libpng Libpng 1.0.8 Libpng Libpng 1.2.4 Libpng Libpng 1.0.14 Libpng Libpng 1.2.0 Libpng Libpng 1.0.11 Libpng Libpng 1.0.9 Libpng Libpng 1.0.13 Libpng Libpng 1.0.6 Libpng Libpng 1.0.7 Libpng Libpng 1.2.3 Libpng Libpng 1.0.5 Libpng Libpng 1.2.1 Libpng Libpng 1.0.12 Libpng Libpng 1.2.5 Libpng Libpng 1.0.0 Libpng Libpng 1.0.10	17
Application	Redhat Redhat Libpng 1.2.2-16 Redhat Libpng 1.2.2-20	2
OS	Trustix Trustix Secure Linux 2.0 Trustix Secure Linux 2.1	2
OS	Redhat Redhat Enterprise Linux Desktop 3.0 Redhat Enterprise Linux 2.1 Redhat Enterprise Linux 3.0	3

Common Weakness Enumeration (CWE)

CWE-125 - Out-of-bounds Read

Common Attack Pattern Enumeration and Classification (CAPEC)

Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2011-8868.NASL
description	Fix for CVE-2011-2501. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	55599
published	2011-07-18
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/55599
title	Fedora 14 : mingw32-libpng-1.4.3-2.fc14 (2011-8868)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-8868. # include("compat.inc"); if (description) { script_id(55599); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:35"); script_cve_id("CVE-2004-0421", "CVE-2011-2501"); script_bugtraq_id(48474); script_xref(name:"FEDORA", value:"2011-8868"); script_name(english:"Fedora 14 : mingw32-libpng-1.4.3-2.fc14 (2011-8868)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fix for CVE-2011-2501. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=717510" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-July/062720.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0a6b22a6" ); script_set_attribute( attribute:"solution", value:"Update the affected mingw32-libpng package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw32-libpng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:14"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^14([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 14.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC14", reference:"mingw32-libpng-1.4.3-2.fc14")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mingw32-libpng"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2011-8844.NASL
description	This update fixes a 1-byte uninitialized memory reference in png_format_buffer(). It allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. This is CVE-2011-2501. Also fixed in this release are some other minor security problems and there
last seen	2020-06-01
modified	2020-06-02
plugin id	55654
published	2011-07-25
reporter	This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/55654
title	Fedora 15 : libpng10-1.0.55-1.fc15 (2011-8844)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-8844. # include("compat.inc"); if (description) { script_id(55654); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:35"); script_cve_id("CVE-2004-0421", "CVE-2011-2501", "CVE-2011-2690", "CVE-2011-2691", "CVE-2011-2692"); script_bugtraq_id(48474, 48618, 48660); script_xref(name:"FEDORA", value:"2011-8844"); script_name(english:"Fedora 15 : libpng10-1.0.55-1.fc15 (2011-8844)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes a 1-byte uninitialized memory reference in png_format_buffer(). It allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. This is CVE-2011-2501. Also fixed in this release are some other minor security problems and there's additionally a bugfix backported from 1.5.3: when expanding a paletted image, always expand to RGBA if transparency is present. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=717084" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=720607" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=720608" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=720612" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-July/062970.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?34f18a13" ); script_set_attribute( attribute:"solution", value:"Update the affected libpng10 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^15([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC15", reference:"libpng10-1.0.55-1.fc15")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng10"); }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-212.NASL
description	Doxygen is a documentation system for C, C++ and IDL. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to
last seen	2020-06-01
modified	2020-06-02
plugin id	24597
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24597
title	Mandrake Linux Security Advisory : doxygen (MDKSA-2006:212)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:212. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24597); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599", "CVE-2006-3334", "CVE-2006-5793"); script_bugtraq_id(10244, 18698); script_xref(name:"MDKSA", value:"2006:212"); script_name(english:"Mandrake Linux Security Advisory : doxygen (MDKSA-2006:212)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Doxygen is a documentation system for C, C++ and IDL. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a typo in png_set_sPLT() that may cause an application using libpng to read out of bounds, resulting in a crash. (CVE-2006-5793) In addition, an patch to address several old vulnerabilities has been applied to this build. (CVE-2002-1363, CVE-2004-0421, CVE-2004-0597, CVE-2004-0598, CVE-2004-0599) Packages have been patched to correct these issues." ); script_set_attribute( attribute:"solution", value:"Update the affected doxygen package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:doxygen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"doxygen-1.4.4-1.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2007.0", reference:"doxygen-1.4.7-1.1mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2004-106.NASL
description	- Mon Apr 19 2004 Matthias Clasen <mclasen at redhat.com> - fix a possible out-of-bounds read in the error message handler. #121229 - Tue Mar 02 2004 Elliot Lee <sopwith at redhat.com> - rebuilt - Fri Feb 13 2004 Elliot Lee <sopwith at redhat.com> - rebuilt Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	13689
published	2004-07-23
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13689
title	Fedora Core 1 : libpng10-1.0.13-11 (2004-106)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-106. # include("compat.inc"); if (description) { script_id(13689); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0421"); script_xref(name:"FEDORA", value:"2004-106"); script_name(english:"Fedora Core 1 : libpng10-1.0.13-11 (2004-106)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Mon Apr 19 2004 Matthias Clasen <mclasen at redhat.com> - fix a possible out-of-bounds read in the error message handler. #121229 - Tue Mar 02 2004 Elliot Lee <sopwith at redhat.com> - rebuilt - Fri Feb 13 2004 Elliot Lee <sopwith at redhat.com> - rebuilt Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-May/000116.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0086c378" ); script_set_attribute( attribute:"solution", value: "Update the affected libpng10, libpng10-debuginfo and / or libpng10-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng10-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng10-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"libpng10-1.0.13-11")) flag++; if (rpm_check(release:"FC1", reference:"libpng10-debuginfo-1.0.13-11")) flag++; if (rpm_check(release:"FC1", reference:"libpng10-devel-1.0.13-11")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng10 / libpng10-debuginfo / libpng10-devel"); }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-213.NASL
description	Chromium is an OpenGL-based shoot them up game with fine graphics. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to
last seen	2020-06-01
modified	2020-06-02
plugin id	24598
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24598
title	Mandrake Linux Security Advisory : chromium (MDKSA-2006:213)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:213. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24598); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id( "CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599", "CVE-2006-3334" ); script_bugtraq_id( 10244, 18698, 21078 ); script_xref(name:"MDKSA", value:"2006:213"); script_name(english:"Mandrake Linux Security Advisory : chromium (MDKSA-2006:213)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Chromium is an OpenGL-based shoot them up game with fine graphics. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. In addition, an patch to address several old vulnerabilities has been applied to this build. (CVE-2002-1363, CVE-2004-0421, CVE-2004-0597, CVE-2004-0598, CVE-2004-0599) Packages have been patched to correct these issues." ); script_set_attribute( attribute:"solution", value:"Update the affected chromium and / or chromium-setup packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:chromium"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:chromium-setup"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"chromium-0.9.12-25.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"chromium-setup-0.9.12-25.1mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2011-9343.NASL
description	Update to libpng 1.2.46, includes fixes for CVE-2011-2501, CVE-2011-2690, CVE-2011-2691, CVE-2011-2692 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	55612
published	2011-07-19
reporter	This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/55612
title	Fedora 15 : libpng-1.2.46-1.fc15 (2011-9343)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-498.NASL
description	Steve Grubb discovered a problem in the Portable Network Graphics library libpng which is utilised in several applications. When processing a broken PNG image, the error handling routine will access memory that is out of bounds when creating an error message. Depending on machine architecture, bounds checking and other protective measures, this problem could cause the program to crash if a defective or intentionally prepared PNG image file is handled by libpng. This could be used as a denial of service attack against various programs that link against this library. The following commands will show you which packages utilise this library and whose programs should probably restarted after an upgrade : apt-cache showpkg libpng2 apt-cache showpkg libpng3 The following security matrix explains which package versions will contain a correction. Package stable (woody) unstable (sid) libpng 1.0.12-3.woody.5 1.0.15-5 libpng3 1.2.1-1.1.woody.5 1.2.5.0-6
last seen	2020-06-01
modified	2020-06-02
plugin id	15335
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15335
title	Debian DSA-498-1 : libpng - out of bound access

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2004-124-04.NASL
description	New libpng packages are available for Slackware 9.0, 9.1, and -current to fix an issue where libpng could be caused to crash, perhaps creating a denial of service issue if network services are linked with it.
last seen	2020-06-01
modified	2020-06-02
plugin id	18751
published	2005-07-13
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18751
title	Slackware 9.0 / 9.1 / current : libpng update (SSA:2004-124-04)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2011-9336.NASL
description	Update to libpng 1.2.46, includes fixes for CVE-2011-2501, CVE-2011-2690, CVE-2011-2691, CVE-2011-2692 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	55738
published	2011-08-01
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/55738
title	Fedora 14 : libpng-1.2.46-1.fc14 (2011-9336)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2011-151.NASL
description	Multiple vulnerabilities has been discovered and corrected in libpng : The png_format_buffer function in pngerror.c in libpng allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression (CVE-2011-2501). Buffer overflow in libpng, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image (CVE-2011-2690). The png_err function in pngerror.c in libpng makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image (CVE-2011-2691). NOTE: This does not affect the binary packages in Mandriva, but could affect users if PNG_NO_ERROR_TEXT is defined using the libpng-source-1.?.?? package. The png_handle_sCAL function in pngrutil.c in libpng does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory (CVE-2011-2692). The updated packages have been patched to correct these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	56529
published	2011-10-18
reporter	This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/56529
title	Mandriva Linux Security Advisory : libpng (MDVSA-2011:151)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200405-06.NASL
description	The remote host is affected by the vulnerability described in GLSA-200405-06 (libpng denial of service vulnerability) libpng provides two functions (png_chunk_error and png_chunk_warning) for default error and warning messages handling. These functions do not perform proper bounds checking on the provided message, which is limited to 64 bytes. Programs linked against this library may crash when handling a malicious PNG image. Impact : This vulnerability could be used to crash various programs using the libpng library, potentially resulting in a denial of service attack on vulnerable daemon processes. Workaround : There is no known workaround at this time. All users are advised to upgrade to the latest available version of libpng.
last seen	2020-06-01
modified	2020-06-02
plugin id	14492
published	2004-08-30
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14492
title	GLSA-200405-06 : libpng denial of service vulnerability

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2011-8874.NASL
description	Fix for CVE-2011-2501. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	55600
published	2011-07-18
reporter	This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/55600
title	Fedora 15 : mingw32-libpng-1.4.3-3.fc15 (2011-8874)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1421.NASL
description	According to the versions of the libpng package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.(CVE-2011-3048) - The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.(CVE-2011-2692) - It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library.(CVE-2015-8472) - The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.(CVE-2011-2691) - Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.(CVE-2015-8540) - Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.(CVE-2011-3026) - An array-indexing error was discovered in the png_convert_to_rfc1123() function of libpng. An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image.(CVE-2015-7981) - Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.(CVE-2011-2690) - The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.(CVE-2011-2501) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	124924
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124924
title	EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_3A408F6F9C5211D893660020ED76EF5A.NASL
description	Steve Grubb reports a buffer read overrun in libpng
last seen	2020-06-01
modified	2020-06-02
plugin id	37799
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/37799
title	FreeBSD : libpng denial-of-service (3a408f6f-9c52-11d8-9366-0020ed76ef5a)

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_SECUPD20040809.NASL
description	The remote host is missing Security Update 2004-08-09. libpng is a library used for manipulating graphics files. Several buffer overflows have been discovered in libpng. A remote attacker could exploit these vulnerabilities by tricking a user into opening a maliciously crafted PNG file, resulting in the execution of arbitrary code.
last seen	2020-06-01
modified	2020-06-02
plugin id	14242
published	2004-08-10
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14242
title	Mac OS X Multiple Vulnerabilities (Security Update 2004-08-09)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2004-040.NASL
description	Steve Grubb discovered that libpng would access memory that is out of bounds when creating an error message. The impact of this bug is not clear, but it could lead to a core dump in a program using libpng, or could result in a DoS (Denial of Service) condition in a daemon that uses libpng to process PNG imagaes. The updated packages are patched to correct the vulnerability.
last seen	2020-06-01
modified	2020-06-02
plugin id	14139
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14139
title	Mandrake Linux Security Advisory : libpng (MDKSA-2004:040)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2004-105.NASL
description	- Mon Apr 19 2004 Matthias Clasen <mclasen at redhat.com> - fix a possible out-of-bounds read in the error message handler. #121229 - Tue Mar 02 2004 Elliot Lee <sopwith at redhat.com> - rebuilt - Fri Feb 27 2004 Mark McLoughlin <markmc at redhat.com> 2:1.2.2-19 - rebuild with changed bits/setjmp.h on ppc - Fri Feb 13 2004 Elliot Lee <sopwith at redhat.com> - rebuilt Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	13688
published	2004-07-23
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13688
title	Fedora Core 1 : libpng-1.2.2-20 (2004-105)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_LIBPNG.NASL
description	The following package needs to be updated: linux-png
last seen	2016-09-26
modified	2011-10-03
plugin id	12563
published	2004-07-06
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=12563
title	FreeBSD : libpng denial-of-service (93)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2004-180.NASL
description	Updated libpng packages that fix a out of bounds memory access are now available. The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. Steve Grubb discovered a out of bounds memory access flaw in libpng. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. This issue may not be used to execute arbitrary code. Users are advised to upgrade to these updated packages that contain a backported security fix not vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	12492
published	2004-07-06
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/12492
title	RHEL 2.1 / 3 : libpng (RHSA-2004:180)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2011-8867.NASL
description	This update fixes a 1-byte uninitialized memory reference in png_format_buffer(). It allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. This is CVE-2011-2501. Also fixed in this release are some other minor security problems and there
last seen	2020-06-01
modified	2020-06-02
plugin id	55655
published	2011-07-25
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/55655
title	Fedora 14 : libpng10-1.0.55-1.fc14 (2011-8867)

Oval

accepted

2013-04-29T04:15:26.599-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651

description

family

unix

oval:org.mitre.oval:def:11710

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

accepted

2007-04-25T19:53:11.593-04:00

class

vulnerability

contributors

name Jay Beale
organization Bastille Linux
name Thomas R. Jones
organization Maitreya Security

description

family

unix

oval:org.mitre.oval:def:971

status

accepted

submitted

2004-05-20T12:00:00.000-04:00

title

libpng Malformed PNG Image Vulnerability

version

Redhat

advisories

rhsa
id RHSA-2004:180
rhsa
id RHSA-2004:181

rpms

libpng-2:1.2.2-21
libpng-debuginfo-2:1.2.2-21
libpng-devel-2:1.2.2-21
libpng10-0:1.0.13-12
libpng10-debuginfo-0:1.0.13-12
libpng10-devel-0:1.0.13-12

Summary