Vulnerabilities > CVE-2004-0768 - Unspecified vulnerability in Greg Roelofs Libpng3

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

libpng 1.2.5 and earlier does not properly calculate certain buffer offsets, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200812-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200812-15 (POV-Ray: User-assisted execution of arbitrary code) POV-Ray uses a statically linked copy of libpng to view and output PNG files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in POV-Ray
    last seen2020-06-01
    modified2020-06-02
    plugin id35107
    published2008-12-15
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35107
    titleGLSA-200812-15 : POV-Ray: User-assisted execution of arbitrary code
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200812-15.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35107);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2004-0768", "CVE-2006-0481", "CVE-2006-3334", "CVE-2008-1382", "CVE-2008-3964");
      script_bugtraq_id(18698, 28770);
      script_xref(name:"GLSA", value:"200812-15");
    
      script_name(english:"GLSA-200812-15 : POV-Ray: User-assisted execution of arbitrary code");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200812-15
    (POV-Ray: User-assisted execution of arbitrary code)
    
        POV-Ray uses a statically linked copy of libpng to view and output PNG
        files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964,
        CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in
        POV-Ray's build system caused it to load the old version when your
        installed copy of libpng was >=media-libs/libpng-1.2.10.
      
    Impact :
    
        An attacker could entice a user to load a specially crafted PNG file as
        a texture, resulting in the execution of arbitrary code with the
        permissions of the user running the application.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200812-15"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All POV-Ray users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=media-gfx/povray-3.6.1-r4'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:povray");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/15");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-gfx/povray", unaffected:make_list("ge 3.6.1-r4"), vulnerable:make_list("lt 3.6.1-r4"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "POV-Ray");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-536.NASL
    descriptionChris Evans discovered several vulnerabilities in libpng : - CAN-2004-0597 Multiple buffer overflows exist, including when handling transparency chunk data, which could be exploited to cause arbitrary code to be executed when a specially crafted PNG image is processed - CAN-2004-0598 Multiple NULL pointer dereferences in png_handle_iCPP() and elsewhere could be exploited to cause an application to crash when a specially crafted PNG image is processed - CAN-2004-0599 Multiple integer overflows in the png_handle_sPLT(), png_read_png() functions and elsewhere could be exploited to cause an application to crash, or potentially arbitrary code to be executed, when a specially crafted PNG image is processed In addition, a bug related to CAN-2002-1363 was fixed : - CAN-2004-0768 A buffer overflow could be caused by incorrect calculation of buffer offsets, possibly leading to the execution of arbitrary code
    last seen2020-06-01
    modified2020-06-02
    plugin id15373
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15373
    titleDebian DSA-536-1 : libpng - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-536. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15373);
      script_version("1.24");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599", "CVE-2004-0768");
      script_xref(name:"CERT", value:"160448");
      script_xref(name:"CERT", value:"236656");
      script_xref(name:"CERT", value:"286464");
      script_xref(name:"CERT", value:"388984");
      script_xref(name:"CERT", value:"477512");
      script_xref(name:"CERT", value:"817368");
      script_xref(name:"DSA", value:"536");
    
      script_name(english:"Debian DSA-536-1 : libpng - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Chris Evans discovered several vulnerabilities in libpng :
    
      - CAN-2004-0597
        Multiple buffer overflows exist, including when handling
        transparency chunk data, which could be exploited to
        cause arbitrary code to be executed when a specially
        crafted PNG image is processed
    
      - CAN-2004-0598
    
        Multiple NULL pointer dereferences in png_handle_iCPP()
        and elsewhere could be exploited to cause an application
        to crash when a specially crafted PNG image is processed
    
      - CAN-2004-0599
    
        Multiple integer overflows in the png_handle_sPLT(),
        png_read_png() functions and elsewhere could be
        exploited to cause an application to crash, or
        potentially arbitrary code to be executed, when a
        specially crafted PNG image is processed
    
      In addition, a bug related to CAN-2002-1363 was fixed :
    
      - CAN-2004-0768
    
        A buffer overflow could be caused by incorrect
        calculation of buffer offsets, possibly leading to the
        execution of arbitrary code"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-536"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the current stable distribution (woody), these problems have been
    fixed in libpng3 version 1.2.1-1.1.woody.7 and libpng version
    1.0.12-3.woody.7.
    
    We recommend that you update your libpng and libpng3 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpng");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/08/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"libpng-dev", reference:"1.2.1-1.1.woody.7")) flag++;
    if (deb_check(release:"3.0", prefix:"libpng2", reference:"1.0.12-3.woody.7")) flag++;
    if (deb_check(release:"3.0", prefix:"libpng2-dev", reference:"1.0.12-3.woody.7")) flag++;
    if (deb_check(release:"3.0", prefix:"libpng3", reference:"1.2.1-1.1.woody.7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");