Vulnerabilities > CVE-2004-0597 - Remote vulnerability in LibPNG Graphics Library
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 4 | |
| OS | 2 |
Exploit-Db
description MSN Messenger 6.2.0137 PNG Buffer Overflow Vulnerability. CVE-2004-0597. Remote exploit for windows platform id EDB-ID:25094 last seen 2016-02-03 modified 2005-02-08 published 2005-02-08 reporter ATmaCA source https://www.exploit-db.com/download/25094/ title MSN Messenger 6.2.0137 PNG Buffer Overflow Vulnerability description LibPNG Graphics Library Remote Buffer Overflow Exploit. CVE-2004-0597. Remote exploit for linux platform id EDB-ID:389 last seen 2016-01-31 modified 2004-08-11 published 2004-08-11 reporter infamous41md source https://www.exploit-db.com/download/389/ title LibPNG Graphics Library Remote Buffer Overflow Exploit description LibPNG <= 1.2.5 png_jmpbuf() Local Buffer Overflow Exploit. CVE-2004-0597. Local exploit for linux platform id EDB-ID:393 last seen 2016-01-31 modified 2004-08-13 published 2004-08-13 reporter N/A source https://www.exploit-db.com/download/393/ title LibPNG <= 1.2.5 png_jmpbuf Local Buffer Overflow Exploit
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_LIBPNG_1257.NASL description The following package needs to be updated: firefox last seen 2016-09-26 modified 2004-08-06 plugin id 14216 published 2004-08-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=14216 title FreeBSD : libpng stack-based buffer overflow and other code concerns (94) code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated by freebsd_pkg_f9e3e60be65011d89b0a000347a4fa7d.nasl. # # Disabled on 2011/10/02. # # # (C) Tenable Network Security, Inc. # # This script contains information extracted from VuXML : # # Copyright 2003-2006 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # include('compat.inc'); if ( description ) { script_id(14216); script_version("1.16"); script_cve_id("CVE-2004-0599"); script_cve_id("CVE-2004-0598"); script_cve_id("CVE-2004-0597"); script_name(english:"FreeBSD : libpng stack-based buffer overflow and other code concerns (94)"); script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update'); script_set_attribute(attribute:'description', value:'The following package needs to be updated: firefox'); script_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C'); script_set_attribute(attribute:'solution', value: 'Update the package on the remote host'); script_set_attribute(attribute: 'see_also', value: 'http://bugzilla.mozilla.org/show_bug.cgi?id=251381 http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt http://scary.beasts.org/security/CESA-2004-001.txt http://secunia.com/advisories/12219 http://secunia.com/advisories/12232 http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.3 http://www.mozilla.org/security/announce/2006/mfsa2006-09.html http://www.mozilla.org/security/announce/2006/mfsa2006-10.html http://www.mozilla.org/security/announce/2006/mfsa2006-11.html http://www.mozilla.org/security/announce/2006/mfsa2006-12.html http://www.mozilla.org/security/announce/2006/mfsa2006-13.html http://www.mozilla.org/security/announce/2006/mfsa2006-44.html http://www.mozilla.org/security/announce/2008/mfsa2008-47.html http://www.mozilla.org/security/announce/2008/mfsa2008-48.html'); script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html'); script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/06"); script_end_attributes(); script_summary(english:"Check for firefox"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); family["english"] = "FreeBSD Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/FreeBSD/pkg_info"); exit(0); } # Deprecated. exit(0, "This plugin has been deprecated. Refer to plugin #36897 (freebsd_pkg_f9e3e60be65011d89b0a000347a4fa7d.nasl) instead."); global_var cvss_score; cvss_score=10; include('freebsd_package.inc'); pkg_test(pkg:"png<=1.2.5_7"); pkg_test(pkg:"linux-png<=1.0.14_3"); pkg_test(pkg:"linux-png>=1.2.*<=1.2.2"); pkg_test(pkg:"firefox<0.9.3"); pkg_test(pkg:"thunderbird<0.7.3"); pkg_test(pkg:"linux-mozilla<1.7.2"); pkg_test(pkg:"linux-mozilla-devel<1.7.2"); pkg_test(pkg:"mozilla<1.7.2,2"); pkg_test(pkg:"mozilla>=1.8.*,2<=1.8.a2,2"); pkg_test(pkg:"mozilla-gtk1<1.7.2"); pkg_test(pkg:"netscape-{communicator,navigator}<=4.78"); pkg_test(pkg:"linux-netscape-{communicator,navigator}<=4.8"); pkg_test(pkg:"{ja,ko}-netscape-{communicator,navigator}-linux<=4.8"); pkg_test(pkg:"{,ja-}netscape7<=7.1"); pkg_test(pkg:"{de-,fr-,pt_BR-}netscape7<=7.02");NASL family Fedora Local Security Checks NASL id FEDORA_2004-239.NASL description The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14210 published 2004-08-05 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14210 title Fedora Core 2 : libpng-1.2.5-8 (2004-239) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-239. # include("compat.inc"); if (description) { script_id(14210); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0597"); script_xref(name:"FEDORA", value:"2004-239"); script_name(english:"Fedora Core 2 : libpng-1.2.5-8 (2004-239)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-August/000247.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?70cb77cd" ); script_set_attribute( attribute:"solution", value: "Update the affected libpng, libpng-debuginfo and / or libpng-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"libpng-1.2.5-8")) flag++; if (rpm_check(release:"FC2", reference:"libpng-debuginfo-1.2.5-8")) flag++; if (rpm_check(release:"FC2", reference:"libpng-devel-1.2.5-8")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng / libpng-debuginfo / libpng-devel"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-421.NASL description Updated mozilla packages based on version 1.4.3 that fix a number of security issues for Red Hat Enterprise Linux are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A number of flaws have been found in Mozilla 1.4 that have been fixed in the Mozilla 1.4.3 release : Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CVE-2004-0597, CVE-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CVE-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CVE-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious JavaScript code to upload local files from a users machine without requiring confirmation. (CVE-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CVE-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CVE-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CVE-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CVE-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and JavaScript that uses the last seen 2020-06-01 modified 2020-06-02 plugin id 14214 published 2004-08-05 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14214 title RHEL 2.1 / 3 : mozilla (RHSA-2004:421) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:421. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(14214); script_version ("1.35"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0597", "CVE-2004-0599", "CVE-2004-0718", "CVE-2004-0722", "CVE-2004-0757", "CVE-2004-0758", "CVE-2004-0759", "CVE-2004-0760", "CVE-2004-0761", "CVE-2004-0762", "CVE-2004-0763", "CVE-2004-0764", "CVE-2004-0765"); script_xref(name:"RHSA", value:"2004:421"); script_name(english:"RHEL 2.1 / 3 : mozilla (RHSA-2004:421)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated mozilla packages based on version 1.4.3 that fix a number of security issues for Red Hat Enterprise Linux are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A number of flaws have been found in Mozilla 1.4 that have been fixed in the Mozilla 1.4.3 release : Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CVE-2004-0597, CVE-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CVE-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CVE-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious JavaScript code to upload local files from a users machine without requiring confirmation. (CVE-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CVE-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CVE-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CVE-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CVE-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and JavaScript that uses the 'onunload' method. (CVE-2004-0763) Mozilla allowed malicious websites to hijack the user interface via the 'chrome' flag and XML User Interface Language (XUL) files. (CVE-2004-0764) The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path. (CVE-2004-0765) All users are advised to update to these erratum packages which contain a snapshot of Mozilla 1.4.3 including backported fixes and are not vulnerable to these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0597" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0599" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0718" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0722" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0757" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0758" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0759" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0760" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0761" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0762" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0763" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0764" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0765" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=236618 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=236618" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=251381 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=251381" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=229374 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=229374" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=249004 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=249004" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=241924 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=241924" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=250906 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=250906" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=246448 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=246448" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=240053 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=240053" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=162020 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=162020" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=253121 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=253121" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=244965 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=244965" ); # http://bugzilla.mozilla.org/show_bug.cgi?id=234058 script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=234058" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:421" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:galeon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-chat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-dom-inspector"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-js-debugger"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-mail"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-nspr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-nspr-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozilla-nss-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/27"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:421"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"galeon-1.2.13-3.2.1")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-chat-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-devel-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-dom-inspector-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-js-debugger-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-mail-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-nspr-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-nspr-devel-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-nss-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mozilla-nss-devel-1.4.3-2.1.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-chat-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-devel-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-dom-inspector-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-js-debugger-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-mail-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-nspr-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-nspr-devel-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-nss-1.4.3-3.0.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mozilla-nss-devel-1.4.3-3.0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "galeon / mozilla / mozilla-chat / mozilla-devel / etc"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-212.NASL description Doxygen is a documentation system for C, C++ and IDL. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to last seen 2020-06-01 modified 2020-06-02 plugin id 24597 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24597 title Mandrake Linux Security Advisory : doxygen (MDKSA-2006:212) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:212. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24597); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599", "CVE-2006-3334", "CVE-2006-5793"); script_bugtraq_id(10244, 18698); script_xref(name:"MDKSA", value:"2006:212"); script_name(english:"Mandrake Linux Security Advisory : doxygen (MDKSA-2006:212)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Doxygen is a documentation system for C, C++ and IDL. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a typo in png_set_sPLT() that may cause an application using libpng to read out of bounds, resulting in a crash. (CVE-2006-5793) In addition, an patch to address several old vulnerabilities has been applied to this build. (CVE-2002-1363, CVE-2004-0421, CVE-2004-0597, CVE-2004-0598, CVE-2004-0599) Packages have been patched to correct these issues." ); script_set_attribute( attribute:"solution", value:"Update the affected doxygen package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:doxygen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"doxygen-1.4.4-1.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2007.0", reference:"doxygen-1.4.7-1.1mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-223-02.NASL description New imagemagick packages are available for Slackware 9.1, 10.0, and -current to fix security issues with PNG images. last seen 2020-06-01 modified 2020-06-02 plugin id 18749 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18749 title Slackware 10.0 / 9.1 / current : imagemagick (SSA:2004-223-02) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2004-223-02. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18749); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599"); script_xref(name:"SSA", value:"2004-223-02"); script_name(english:"Slackware 10.0 / 9.1 / current : imagemagick (SSA:2004-223-02)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New imagemagick packages are available for Slackware 9.1, 10.0, and -current to fix security issues with PNG images." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.353817 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?64c7b9bf" ); script_set_attribute( attribute:"solution", value:"Update the affected imagemagick package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:imagemagick"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"9.1", pkgname:"imagemagick", pkgver:"5.5.7_25", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"imagemagick", pkgver:"6.0.4_3", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"imagemagick", pkgver:"6.0.4_3", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F9E3E60BE65011D89B0A000347A4FA7D.NASL description Chris Evans has discovered multiple vulnerabilities in libpng, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). last seen 2020-06-01 modified 2020-06-02 plugin id 36897 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36897 title FreeBSD : libpng stack-based buffer overflow and other code concerns (f9e3e60b-e650-11d8-9b0a-000347a4fa7d) NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_023.NASL description The remote host is missing the patch for the advisory SUSE-SA:2004:023 (libpng). Several different security vulnerabilities were found in the PNG library which is used by applications to support the PNG image format. A remote attacker would be able to execute arbitrary code by triggering a buffer overflow due to the incorrect handling of the length of transparency chunk data and in other pathes of image processing. A special PNG image can be used to cause an application crashing due to NULL pointer dereference in the function png_handle_iCPP() (and other locations). Integer overflows were found in png_handle_sPLT(), png_read_png() functions and other locations. These bugs may at least crash an application. last seen 2020-06-01 modified 2020-06-02 plugin id 14206 published 2004-08-04 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14206 title SUSE-SA:2004:023: libpng NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-402.NASL description Updated libpng packages that fix several issues are now available. The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. For users of Red Hat Enterprise Linux 2.1 these patches also include a more complete fix for the out of bounds memory access flaw (CVE-2002-1363). All users are advised to update to the updated libpng packages which contain backported security patches and are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14213 published 2004-08-05 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14213 title RHEL 2.1 / 3 : libpng (RHSA-2004:402) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-213.NASL description Chromium is an OpenGL-based shoot them up game with fine graphics. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to last seen 2020-06-01 modified 2020-06-02 plugin id 24598 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24598 title Mandrake Linux Security Advisory : chromium (MDKSA-2006:213) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-009.NASL description The remote host is running either Windows Media Player 9 or MSN Messenger. There is a vulnerability in the remote version of this software that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 16328 published 2005-02-08 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16328 title MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261) NASL family Fedora Local Security Checks NASL id FEDORA_2004-238.NASL description The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14209 published 2004-08-05 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14209 title Fedora Core 2 : libpng10-1.0.15-8 (2004-238) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200408-03.NASL description The remote host is affected by the vulnerability described in GLSA-200408-03 (libpng: Numerous vulnerabilities) libpng contains numerous vulnerabilities including NULL pointer dereference errors and boundary errors in various functions. Impact : An attacker could exploit these vulnerabilities to cause programs linked against the library to crash or execute arbitrary code with the permissions of the user running the vulnerable program, which could be the root user. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version. last seen 2020-06-01 modified 2020-06-02 plugin id 14559 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14559 title GLSA-200408-03 : libpng: Numerous vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-082.NASL description A number of security vulnerabilities in mozilla are addressed by this update for Mandrakelinux 10.0 users, including a fix for frame spoofing, a fixed popup XPInstall/security dialog bug, a fix for untrusted chrome calls, a fix for SSL certificate spoofing, a fix for stealing secure HTTP Auth passwords via DNS spoofing, a fix for insecure matching of cert names for non-FQDNs, a fix for focus redefinition from another domain, a fix for a SOAP parameter overflow, a fix for text drag on file entry, a fix for certificate DoS, and a fix for lock icon and cert spoofing. Additionally, mozilla for both Mandrakelinux 9.2 and 10.0 have been rebuilt to use the system libjpeg and libpng which addresses vulnerabilities discovered in libpng (ref: MDKSA-2004:079). last seen 2020-06-01 modified 2020-06-02 plugin id 14331 published 2004-08-22 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14331 title Mandrake Linux Security Advisory : mozilla (MDKSA-2004:082) NASL family Fedora Local Security Checks NASL id FEDORA_2004-237.NASL description The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14208 published 2004-08-05 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14208 title Fedora Core 1 : libpng-1.2.5-7 (2004-237) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD20040809.NASL description The remote host is missing Security Update 2004-08-09. libpng is a library used for manipulating graphics files. Several buffer overflows have been discovered in libpng. A remote attacker could exploit these vulnerabilities by tricking a user into opening a maliciously crafted PNG file, resulting in the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 14242 published 2004-08-10 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14242 title Mac OS X Multiple Vulnerabilities (Security Update 2004-08-09) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-222-01.NASL description New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues. These issues could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. The PNG library is widely used within the system, so all sites should upgrade to the new libpng package. last seen 2020-06-01 modified 2020-06-02 plugin id 18781 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18781 title Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2004-222-01) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-223-01.NASL description New Mozilla packages are available for Slackware 9.1, 10.0, and -current to fix a number of security issues. Slackware 10.0 and -current were upgraded to Mozilla 1.7.2, and Slackware 9.1 was upgraded to Mozilla 1.4.3. As usual, new versions of Mozilla require new versions of things that link with the Mozilla libraries, so for Slackware 10.0 and -current new versions of epiphany, galeon, gaim, and mozilla-plugins have also been provided. There don last seen 2020-06-01 modified 2020-06-02 plugin id 18794 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18794 title Slackware 10.0 / 9.1 / current : Mozilla (SSA:2004-223-01) NASL family Fedora Local Security Checks NASL id FEDORA_2004-236.NASL description The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14207 published 2004-08-05 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14207 title Fedora Core 1 : libpng10-1.0.15-7 (2004-236) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200408-22.NASL description The remote host is affected by the vulnerability described in GLSA-200408-22 (Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities) Mozilla, Galeon, Epiphany, Mozilla Firefox and Mozilla Thunderbird contain the following vulnerabilities: All Mozilla tools use libpng for graphics. This library contains a buffer overflow which may lead to arbitrary code execution. If a user imports a forged Certificate Authority (CA) certificate, it may overwrite and corrupt the valid CA already installed on the machine. Mozilla, Mozilla Firefox, and other gecko-based browsers also contain a bug in their caching which may allow the SSL icon to remain visible, even when the site in question is an insecure site. Impact : Users of Mozilla, Mozilla Firefox, and other gecko-based browsers are susceptible to SSL certificate spoofing, a Denial of Service against legitimate SSL sites, crashes, and arbitrary code execution. Users of Mozilla Thunderbird are susceptible to crashes and arbitrary code execution via malicious e-mails. Workaround : There is no known workaround for most of these vulnerabilities. All users are advised to upgrade to the latest available version. last seen 2020-06-01 modified 2020-06-02 plugin id 14578 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14578 title GLSA-200408-22 : Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-536.NASL description Chris Evans discovered several vulnerabilities in libpng : - CAN-2004-0597 Multiple buffer overflows exist, including when handling transparency chunk data, which could be exploited to cause arbitrary code to be executed when a specially crafted PNG image is processed - CAN-2004-0598 Multiple NULL pointer dereferences in png_handle_iCPP() and elsewhere could be exploited to cause an application to crash when a specially crafted PNG image is processed - CAN-2004-0599 Multiple integer overflows in the png_handle_sPLT(), png_read_png() functions and elsewhere could be exploited to cause an application to crash, or potentially arbitrary code to be executed, when a specially crafted PNG image is processed In addition, a bug related to CAN-2002-1363 was fixed : - CAN-2004-0768 A buffer overflow could be caused by incorrect calculation of buffer offsets, possibly leading to the execution of arbitrary code last seen 2020-06-01 modified 2020-06-02 plugin id 15373 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15373 title Debian DSA-536-1 : libpng - several vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-079.NASL description Chris Evans discovered numerous vulnerabilities in the libpng graphics library, including a remotely exploitable stack-based buffer overrun in the png_handle_tRNS function, dangerous code in png_handle_sBIT, a possible NULL pointer crash in png_handle_iCCP (which is also duplicated in multiple other locations), a theoretical integer overflow in png_read_png, and integer overflows during progressive reading. All users are encouraged to upgrade immediately. last seen 2020-06-01 modified 2020-06-02 plugin id 14328 published 2004-08-22 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14328 title Mandrake Linux Security Advisory : libpng (MDKSA-2004:079)
Oval
accepted 2013-04-29T04:12:54.766-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651
description Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. family unix id oval:org.mitre.oval:def:11284 status accepted submitted 2010-07-09T03:56:16-04:00 title Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. version 28 accepted 2007-05-07T11:15:43.648-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Matthew Wojcik organization The MITRE Corporation name John Hoyland organization Centennial Software name Jason Spashett organization Centennial Software name John Hoyland organization Centennial Software name Dragos Prisaca organization Secure Elements, Inc. name Josh Turpin organization Symantec Corporation name Maria Mikhno organization ALTX-SOFT
description Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. family windows id oval:org.mitre.oval:def:2274 status deprecated submitted 2005-03-29T12:00:00.000-04:00 title Windows Messenger 5 libpng Buffer Overflow version 12 accepted 2005-03-09T07:56:00.000-04:00 class vulnerability contributors name Brian Soby organization The MITRE Corporation description Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. family unix id oval:org.mitre.oval:def:2378 status accepted submitted 2004-12-12T12:00:00.000-04:00 title Multiple Buffer Overflows in libpng version 34 accepted 2005-06-22T12:38:00.000-04:00 class vulnerability contributors name Matthew Wojcik organization The MITRE Corporation name Maria Mikhno organization ALTX-SOFT
description Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. family windows id oval:org.mitre.oval:def:4492 status deprecated submitted 2005-04-26T12:00:00.000-04:00 title Adobe Acrobat Reader libpng Buffer Overflow version 3 accepted 2007-05-09T16:11:07.574-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Robert L. Hollis organization ThreatGuard, Inc. name Robert L. Hollis organization ThreatGuard, Inc. name Jonathan Baker organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation name Maria Kedovskaya organization ALTX-SOFT
description Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. family windows id oval:org.mitre.oval:def:594 status deprecated submitted 2005-03-29T12:00:00.000-04:00 title Windows Messenger 6 libpng Buffer Overflow version 9 accepted 2015-05-04T04:00:21.836-04:00 class vulnerability contributors name Josh Turpin organization Symantec Corporation name Josh Turpin organization Symantec Corporation name Maria Mikhno organization ALTX-SOFT name Maria Mikhno organization ALTX-SOFT name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Windows 2000 SP4 or later is installed oval oval:org.mitre.oval:def:229 comment Microsoft Windows Server 2003 (x86) Gold is installed oval oval:org.mitre.oval:def:165 comment Microsoft Windows Server 2003 SP1 (x86) is installed oval oval:org.mitre.oval:def:565 comment Microsoft Windows XP Professional x64 Edition SP1 is installed oval oval:org.mitre.oval:def:720 comment Microsoft Windows XP SP1 (32-bit) is installed oval oval:org.mitre.oval:def:1 comment Microsoft Windows XP (x86) SP2 is installed oval oval:org.mitre.oval:def:754 comment Microsoft Windows XP SP1 (32-bit) is installed oval oval:org.mitre.oval:def:1 comment MSN Messenger 4.7 is installed oval oval:org.mitre.oval:def:6101 comment Microsoft Windows XP (x86) SP2 is installed oval oval:org.mitre.oval:def:754 comment MSN Messenger 4.7 is installed oval oval:org.mitre.oval:def:6101 comment MSN Messenger 6.1 is installed oval oval:org.mitre.oval:def:8701 comment MSN Messenger 6.2 is installed oval oval:org.mitre.oval:def:2187
description Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. family windows id oval:org.mitre.oval:def:7709 status accepted submitted 2010-01-15T14:00:00 title libpng buffer overflow version 30
Redhat
| advisories |
| ||||||||||||
| rpms |
|
References
- ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000856
- http://lists.apple.com/mhonarc/security-announce/msg00056.html
- http://marc.info/?l=bugtraq&m=109163866717909&w=2
- http://marc.info/?l=bugtraq&m=109181639602978&w=2
- http://marc.info/?l=bugtraq&m=109761239318458&w=2
- http://marc.info/?l=bugtraq&m=109900315219363&w=2
- http://marc.info/?l=bugtraq&m=110796779903455&w=2
- http://scary.beasts.org/security/CESA-2004-001.txt
- http://secunia.com/advisories/22957
- http://secunia.com/advisories/22958
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200663-1
- http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114816-02-1
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=2679
- http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10
- http://www.debian.org/security/2004/dsa-536
- http://www.gentoo.org/security/en/glsa/glsa-200408-03.xml
- http://www.gentoo.org/security/en/glsa/glsa-200408-22.xml
- http://www.kb.cert.org/vuls/id/388984
- http://www.kb.cert.org/vuls/id/817368
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:079
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:212
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:213
- http://www.mozilla.org/projects/security/known-vulnerabilities.html
- http://www.novell.com/linux/security/advisories/2004_23_libpng.html
- http://www.redhat.com/support/errata/RHSA-2004-402.html
- http://www.redhat.com/support/errata/RHSA-2004-421.html
- http://www.redhat.com/support/errata/RHSA-2004-429.html
- http://www.securityfocus.com/bid/10857
- http://www.securityfocus.com/bid/15495
- http://www.trustix.net/errata/2004/0040/
- http://www.us-cert.gov/cas/techalerts/TA04-217A.html
- http://www.us-cert.gov/cas/techalerts/TA05-039A.html
- https://bugzilla.fedora.us/show_bug.cgi?id=1943
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-009
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16894
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11284
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2274
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2378
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4492
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A594
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7709