Vulnerabilities > CVE-2008-1382 - Numeric Errors vulnerability in Libpng
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20090304_LIBPNG_ON_SL3_X.NASL description A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) A flaw was discovered in the way libpng handled PNG images containing last seen 2020-06-01 modified 2020-06-02 plugin id 60539 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60539 title Scientific Linux Security Update : libpng on SL3.x, SL4.x, SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60539); script_version("1.5"); script_cvs_date("Date: 2019/10/25 13:36:18"); script_cve_id("CVE-2008-1382", "CVE-2009-0040"); script_name(english:"Scientific Linux Security Update : libpng on SL3.x, SL4.x, SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) A flaw was discovered in the way libpng handled PNG images containing 'unknown' chunks. If an application linked against libpng attempted to process a malformed, unknown chunk in a malicious PNG image, it could cause the application to crash. (CVE-2008-1382) All running applications using libpng or libpng10 must be restarted for the update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0903&L=scientific-linux-errata&T=0&P=192 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a5ad1923" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(94, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL3", reference:"libpng-1.2.2-29")) flag++; if (rpm_check(release:"SL3", reference:"libpng-devel-1.2.2-29")) flag++; if (rpm_check(release:"SL3", reference:"libpng10-1.0.13-20")) flag++; if (rpm_check(release:"SL3", reference:"libpng10-devel-1.0.13-20")) flag++; if (rpm_check(release:"SL4", reference:"libpng-1.2.7-3.el4_7.2")) flag++; if (rpm_check(release:"SL4", reference:"libpng-devel-1.2.7-3.el4_7.2")) flag++; if (rpm_check(release:"SL4", reference:"libpng10-1.0.16-3.el4_7.3")) flag++; if (rpm_check(release:"SL4", reference:"libpng10-devel-1.0.16-3.el4_7.3")) flag++; if (rpm_check(release:"SL5", reference:"libpng-1.2.10-7.1.el5_3.2")) flag++; if (rpm_check(release:"SL5", reference:"libpng-devel-1.2.10-7.1.el5_3.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Solaris Local Security Checks NASL id SOLARIS10_137080-09.NASL description SunOS 5.10: libpng Patch. Date this patch was last updated by Sun : Jun/15/17 last seen 2020-06-01 modified 2020-06-02 plugin id 107484 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107484 title Solaris 10 (sparc) : 137080-09 code # # (C) Tenable Network Security, Inc. # # The descriptive text in this plugin was # extracted from the Oracle SunOS Patch Updates. # include("compat.inc"); if (description) { script_id(107484); script_version("1.3"); script_cvs_date("Date: 2020/01/08"); script_cve_id("CVE-2007-2445", "CVE-2007-5266", "CVE-2007-5267", "CVE-2007-5268", "CVE-2007-5269", "CVE-2008-1382", "CVE-2008-3964", "CVE-2009-0040"); script_name(english:"Solaris 10 (sparc) : 137080-09"); script_summary(english:"Check for patch 137080-09"); script_set_attribute( attribute:"synopsis", value:"The remote host is missing Sun Security Patch number 137080-09" ); script_set_attribute( attribute:"description", value: "SunOS 5.10: libpng Patch. Date this patch was last updated by Sun : Jun/15/17" ); script_set_attribute( attribute:"see_also", value:"https://getupdates.oracle.com/readme/137080-09" ); script_set_attribute(attribute:"solution", value:"Install patch 137080-09 or higher"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2008-1382"); script_cwe_id(20, 94, 189, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:137080"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:10"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/16"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("solaris.inc"); showrev = get_kb_item("Host/Solaris/showrev"); if (empty_or_null(showrev)) audit(AUDIT_OS_NOT, "Solaris"); os_ver = pregmatch(pattern:"Release: (\d+.(\d+))", string:showrev); if (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Solaris"); full_ver = os_ver[1]; os_level = os_ver[2]; if (full_ver != "5.10") audit(AUDIT_OS_NOT, "Solaris 10", "Solaris " + os_level); package_arch = pregmatch(pattern:"Application architecture: (\w+)", string:showrev); if (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH); package_arch = package_arch[1]; if (package_arch != "sparc") audit(AUDIT_ARCH_NOT, "sparc", package_arch); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"137080-09", obsoleted_by:"", package:"SUNWpng-devel", version:"20.2.6.0,REV=10.0.3.2004.12.15.14.11") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"137080-09", obsoleted_by:"", package:"SUNWpng", version:"20.2.6.0,REV=10.0.3.2004.12.15.14.11") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"137080-09", obsoleted_by:"", package:"SUNWpngS", version:"20.2.6.0,REV=10.0.3.2004.12.15.14.11") < 0) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : solaris_get_report() ); } else { patch_fix = solaris_patch_fix_get(); if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, "Solaris 10"); tested = solaris_pkg_tests_get(); if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); audit(AUDIT_PACKAGE_NOT_INSTALLED, "SUNWpng / SUNWpng-devel / SUNWpngS"); }NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0007.NASL description a. VMware Descheduled Time Accounting driver vulnerability may cause a denial of service in Windows based virtual machines. The VMware Descheduled Time Accounting Service is an optional, experimental service that provides improved guest operating system accounting. This patch fixes a denial of service vulnerability that could be triggered in a virtual machine by an unprivileged, locally logged-on user in the virtual machine. Virtual machines are affected under the following conditions : - The virtual machine is running a Windows operating system. - The VMware Descheduled Time Accounting driver is installed in the virtual machine. Note that this is an optional (non- default) part of the VMware Tools installation. - The VMware Descheduled Time Accounting Service is not running in the virtual machine The VMware Descheduled Time Accounting Service is no longer provided in newer versions of VMware Tools, starting with the versions released in Fusion 2.0.2 and ESX 4.0. However, virtual machines migrated from vulnerable releases will still be vulnerable if the three conditions listed above are met, until their tools are upgraded. Steps needed to remediate this vulnerability : Guest systems on VMware Workstation, Player, ACE, Server, Fusion - Install the new version of Workstation, Player, ACE, Server, Fusion (see below for version information) - Upgrade tools in the virtual machine (virtual machine users will be prompted to upgrade). Guest systems on ESX 3.5, ESXi 3.5, ESX 3.0.2, ESX 3.0.3 - Install the relevant patches (see below for patch identifiers) - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade). Note the VI Client will not show the VMware tools is out of date in the summary tab. Please see http://tinyurl.com/27mpjo page 80 for details. Guests systems on ESX 4.0 and ESXi 4.0 that have been migrated from ESX 3.5, ESXi 3.5, and ESX 3.0.x - Install/upgrade the new tools in the virtual machine (virtual machine users will be prompted to upgrade). If the Descheduled Time Accounting driver was installed, the tools upgrade will result in an updated driver for Workstation, Player, ACE, Server, ESX 3.0.2, ESX 3.0.3, ESX 3.5, ESXi 3.5. For Fusion, ESX 4.0, and ESXi 4.0 the tools upgrade will result in the removal of the driver. VMware would like to thank Nikita Tarakanov for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-1805 to this issue. b. Updated libpng package for the ESX 2.5.5 Service Console The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. A flaw was discovered in the way libpng handled PNG images containing last seen 2020-06-01 modified 2020-06-02 plugin id 40392 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40392 title VMSA-2009-0007 : VMware Hosted products and ESX and ESXi patches resolve security issues NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200812-15.NASL description The remote host is affected by the vulnerability described in GLSA-200812-15 (POV-Ray: User-assisted execution of arbitrary code) POV-Ray uses a statically linked copy of libpng to view and output PNG files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in POV-Ray last seen 2020-06-01 modified 2020-06-02 plugin id 35107 published 2008-12-15 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35107 title GLSA-200812-15 : POV-Ray: User-assisted execution of arbitrary code NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200804-15.NASL description The remote host is affected by the vulnerability described in GLSA-200804-15 (libpng: Execution of arbitrary code) Tavis Ormandy of the Google Security Team discovered that libpng does not handle zero-length unknown chunks in PNG files correctly, which might lead to memory corruption in applications that call png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(). Impact : A remote attacker could entice a user or automated system to process a specially crafted PNG image in an application using libpng and possibly execute arbitrary code with the privileges of the user running the application. Note that processing of unknown chunks is disabled by default in most PNG applications, but some such as ImageMagick are affected. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 31962 published 2008-04-17 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31962 title GLSA-200804-15 : libpng: Execution of arbitrary code NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_137081.NASL description SunOS 5.10_x86: libpng Patch. Date this patch was last updated by Sun : Sep/11/17 This plugin has been deprecated and either replaced with individual 137081 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 31337 published 2008-03-04 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=31337 title Solaris 10 (x86) : 137081-11 (deprecated) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0333.NASL description From Red Hat Security Advisory 2009:0333 : Updated libpng and libpng10 packages that fix a couple of security issues are now available for Red Hat Enterprise Linux 2.1, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) A flaw was discovered in the way libpng handled PNG images containing last seen 2020-06-01 modified 2020-06-02 plugin id 67815 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67815 title Oracle Linux 4 / 5 : libpng (ELSA-2009-0333) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3683.NASL description This update fixes the way that libpng10 handles unknown zero-length chunks, which in previous versions could result in writing to attacker controlled addresses, depending on how the libpng api is used. To be affected, an application would have to call png_set_keep_unknown_chunks(), which tells libpng not to ignore unknown chunks, but to do something with them. The PNG spec allows for last seen 2020-06-01 modified 2020-06-02 plugin id 32458 published 2008-05-29 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32458 title Fedora 9 : libpng10-1.0.37-1.fc9 (2008-3683) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200805-10.NASL description The remote host is affected by the vulnerability described in GLSA-200805-10 (Pngcrush: User-assisted execution of arbitrary code) It has been reported that Pngcrush includes a copy of libpng that is vulnerable to a memory corruption (GLSA 200804-15). Impact : A remote attacker could entice a user to process a specially crafted PNG image, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 32301 published 2008-05-13 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32301 title GLSA-200805-10 : Pngcrush: User-assisted execution of arbitrary code NASL family SuSE Local Security Checks NASL id SUSE_LIBPNG-5180.NASL description Specially crafted png files could overwrite arbitrary memory. Attackers could potentially exploit that to execute arbitrary code (CVE-2008-1382). last seen 2020-06-01 modified 2020-06-02 plugin id 32024 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32024 title openSUSE 10 Security Update : libpng (libpng-5180) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_137081-09.NASL description SunOS 5.10_x86: libpng Patch. Date this patch was last updated by Sun : Jun/15/17 last seen 2020-06-01 modified 2020-06-02 plugin id 107982 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107982 title Solaris 10 (x86) : 137081-09 NASL family Fedora Local Security Checks NASL id FEDORA_2008-4847.NASL description Update to new upstream version 1.2.29. Among other bug fixes, this introduces a minor security fix in the handling of unknown chunks - CVE-2008-1382: http://libpng.sourceforge.net/Advisory-1.2.26.txt http://www.ocert.org/advisories/ocert-2008-003.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33079 published 2008-06-04 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33079 title Fedora 8 : libpng-1.2.29-1.fc8 (2008-4847) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_57C705D612AE11DDBAB70016179B2DD5.NASL description Secunia reports : Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a Denial of Service, disclose potentially sensitive information, or potentially compromise an application using the library. The vulnerability is caused due to the improper handling of PNG chunks unknown to the library. This can be exploited to trigger the use of uninitialized memory in e.g. a free() call via unknown PNG chunks having a length of zero. Successful exploitation may allow execution of arbitrary code, but requires that the application calls the png_set_read_user_chunk_fn() function or the png_set_keep_unknown_chunks() function under specific conditions. last seen 2020-06-01 modified 2020-06-02 plugin id 32110 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32110 title FreeBSD : png -- unknown chunk processing uninitialized memory access (57c705d6-12ae-11dd-bab7-0016179b2dd5) NASL family Solaris Local Security Checks NASL id SOLARIS10_137080-07.NASL description SunOS 5.10: libpng Patch. Date this patch was last updated by Sun : Jul/18/12 last seen 2020-06-01 modified 2020-06-02 plugin id 107483 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107483 title Solaris 10 (sparc) : 137080-07 NASL family Fedora Local Security Checks NASL id FEDORA_2008-3937.NASL description This update fixes the way that libpng10 handles unknown zero-length chunks, which in previous versions could result in writing to attacker controlled addresses, depending on how the libpng api is used. To be affected, an application would have to call png_set_keep_unknown_chunks(), which tells libpng not to ignore unknown chunks, but to do something with them. The PNG spec allows for last seen 2020-06-01 modified 2020-06-02 plugin id 32459 published 2008-05-29 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32459 title Fedora 8 : libpng10-1.0.37-1.fc8 (2008-3937) NASL family Solaris Local Security Checks NASL id SOLARIS10_137080.NASL description SunOS 5.10: libpng Patch. Date this patch was last updated by Sun : Sep/11/17 This plugin has been deprecated and either replaced with individual 137080 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 31333 published 2008-03-04 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=31333 title Solaris 10 (sparc) : 137080-11 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS10_137080-10.NASL description SunOS 5.10: libpng Patch. Date this patch was last updated by Sun : Jul/17/17 last seen 2020-06-01 modified 2020-06-02 plugin id 107485 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107485 title Solaris 10 (sparc) : 137080-10 NASL family Fedora Local Security Checks NASL id FEDORA_2008-4947.NASL description Update to new upstream version 1.2.29. Among other bug fixes, this introduces a minor security fix in the handling of unknown chunks - CVE-2008-1382: http://libpng.sourceforge.net/Advisory-1.2.26.txt http://www.ocert.org/advisories/ocert-2008-003.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33082 published 2008-06-04 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33082 title Fedora 7 : libpng-1.2.29-1.fc7 (2008-4947) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-156.NASL description Tavis Ormandy of the Google Security Team discovered a flaw in how libpng handles zero-length unknown chunks in PNG files, which could lead to memory corruption in applications that make use of certain functions (CVE-2008-1382). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 38060 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38060 title Mandriva Linux Security Advisory : libpng (MDVSA-2008:156) NASL family SuSE Local Security Checks NASL id SUSE_LIBPNG-5181.NASL description Specially crafted png files could overwrite arbitrary memory. Attackers could potentially exploit that to execute arbitrary code. (CVE-2008-1382) last seen 2020-06-01 modified 2020-06-02 plugin id 32052 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32052 title SuSE 10 Security Update : libpng (ZYPP Patch Number 5181) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201412-08.NASL description The remote host is affected by the vulnerability described in GLSA-201412-08 (Multiple packages, Multiple vulnerabilities fixed in 2010) Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. Insight Perl Tk Module Source-Navigator Tk Partimage Mlmmj acl Xinit gzip ncompress liblzw splashutils GNU M4 KDE Display Manager GTK+ KGet dvipng Beanstalk Policy Mount pam_krb5 GNU gv LFTP Uzbl Slim Bitdefender Console iputils DVBStreamer Impact : A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround : There are no known workarounds at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 79961 published 2014-12-15 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79961 title GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010 NASL family Fedora Local Security Checks NASL id FEDORA_2008-4910.NASL description Update to new upstream version 1.2.29. Among other bug fixes, this introduces a minor security fix in the handling of unknown chunks - CVE-2008-1382: http://libpng.sourceforge.net/Advisory-1.2.26.txt http://www.ocert.org/advisories/ocert-2008-003.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33081 published 2008-06-04 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33081 title Fedora 9 : libpng-1.2.29-1.fc9 (2008-4910) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-119-01.NASL description New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 32083 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32083 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2008-119-01) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBPNG-DEVEL-080625.NASL description Specially crafted png files could overwrite arbitrary memory. Attackers could potentially exploit that to execute arbitrary code (CVE-2008-1382). last seen 2020-06-01 modified 2020-06-02 plugin id 40036 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40036 title openSUSE Security Update : libpng-devel (libpng-devel-66) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3979.NASL description This update fixes the way that libpng10 handles unknown zero-length chunks, which in previous versions could result in writing to attacker controlled addresses, depending on how the libpng api is used. To be affected, an application would have to call png_set_keep_unknown_chunks(), which tells libpng not to ignore unknown chunks, but to do something with them. The PNG spec allows for last seen 2020-06-01 modified 2020-06-02 plugin id 32460 published 2008-05-29 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32460 title Fedora 7 : libpng10-1.0.37-1.fc7 (2008-3979) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-006.NASL description The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-006 applied. This update contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 34210 published 2008-09-16 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34210 title Mac OS X Multiple Vulnerabilities (Security Update 2008-006) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_137081-07.NASL description SunOS 5.10_x86: libpng Patch. Date this patch was last updated by Sun : Jul/18/12 last seen 2020-06-01 modified 2020-06-02 plugin id 107981 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107981 title Solaris 10 (x86) : 137081-07 NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_137081-10.NASL description SunOS 5.10_x86: libpng Patch. Date this patch was last updated by Sun : Jul/17/17 last seen 2020-06-01 modified 2020-06-02 plugin id 107983 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107983 title Solaris 10 (x86) : 137081-10 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1750.NASL description Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2445 The png_handle_tRNS function allows attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value. - CVE-2007-5269 Certain chunk handlers allow attackers to cause a denial of service (crash) via crafted pCAL, sCAL, tEXt, iTXt, and ztXT chunking in PNG images, which trigger out-of-bounds read operations. - CVE-2008-1382 libpng allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length last seen 2020-06-01 modified 2020-06-02 plugin id 35988 published 2009-03-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35988 title Debian DSA-1750-1 : libpng - several vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-730-1.NASL description It was discovered that libpng did not properly perform bounds checking in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng. This issue only affected Ubuntu 8.04 LTS. (CVE-2007-5268, CVE-2007-5269) Tavis Ormandy discovered that libpng did not properly initialize memory. If a user or automated system were tricked into opening a crafted PNG image, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue did not affect Ubuntu 8.10. (CVE-2008-1382) Harald van Dijk discovered an off-by-one error in libpng. An attacker could could cause an application crash in programs using pngtest. (CVE-2008-3964) It was discovered that libpng did not properly NULL terminate a keyword string. An attacker could exploit this to set arbitrary memory locations to zero. (CVE-2008-5907) Glenn Randers-Pehrson discovered that libpng did not properly initialize pointers. If a user or automated system were tricked into opening a crafted PNG file, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0040). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37042 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37042 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : libpng vulnerabilities (USN-730-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0333.NASL description Updated libpng and libpng10 packages that fix a couple of security issues are now available for Red Hat Enterprise Linux 2.1, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) A flaw was discovered in the way libpng handled PNG images containing last seen 2020-06-01 modified 2020-06-02 plugin id 43731 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43731 title CentOS 4 : libpng (CESA-2009:0333) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0333.NASL description Updated libpng and libpng10 packages that fix a couple of security issues are now available for Red Hat Enterprise Linux 2.1, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) A flaw was discovered in the way libpng handled PNG images containing last seen 2020-06-01 modified 2020-06-02 plugin id 35775 published 2009-03-05 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35775 title RHEL 2.1 / 4 / 5 : libpng (RHSA-2009:0333) NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_5.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.5. Mac OS X 10.5.5 contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 34211 published 2008-09-16 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34211 title Mac OS X 10.5.x < 10.5.5 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE9_12141.NASL description Specially crafted PNG files could overwrite arbitrary memory. Attackers could potentially exploit that to execute arbitrary code. (CVE-2008-1382) last seen 2020-06-01 modified 2020-06-02 plugin id 41209 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41209 title SuSE9 Security Update : libpng (YOU Patch Number 12141)
Oval
accepted 2013-04-29T04:04:40.938-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory. family unix id oval:org.mitre.oval:def:10326 status accepted submitted 2010-07-09T03:56:16-04:00 title libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory. version 28 accepted 2009-11-09T04:00:44.197-05:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard definition_extensions comment VMWare ESX Server 3.0.3 is installed oval oval:org.mitre.oval:def:6026 comment VMWare ESX Server 3.0.2 is installed oval oval:org.mitre.oval:def:5613 comment VMware ESX Server 3.5.0 is installed oval oval:org.mitre.oval:def:5887
description libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory. family unix id oval:org.mitre.oval:def:6275 status accepted submitted 2009-09-23T15:39:02.000-04:00 title mimeTeX and mathTeX Buffer Overflow and Command Injection Issues version 3
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28770 CVE(CAN) ID: CVE-2008-1382 libpng是多种应用程序所使用的解析PNG图形格式的函数库。 libpng库在处理畸形格式的PNG文件时存在漏洞,成功利用此漏洞允许本地攻击者读取敏感信息、导致拒绝服务或执行任意指令。 libpng库没有正确地处理未知类型的PNG块,如果使用该库的应用程序在特定情况下调用了png_set_read_user_chunk_fn()或png_set_keep_unknown_chunks()函数的话,长度为0的PNG块就会导致通过free()调用使用未初始化的内存。 0 libpng libpng 1.2.0 - 1.2.26 libpng libpng 1.0.6 - 1.0.32 libpng ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://downloads.sourceforge.net/libpng/libpng-1.2.27beta03.tar.bz2?modtime=1208169600&big_mirror=0 target=_blank>http://downloads.sourceforge.net/libpng/libpng-1.2.27beta03.tar.bz2?modtime=1208169600&big_mirror=0</a> Gentoo ------ Gentoo已经为此发布了一个安全公告(GLSA-200804-15)以及相应补丁: GLSA-200804-15:libpng: Execution of arbitrary code 链接:<a href=http://security.gentoo.org/glsa/glsa-200804-15.xml target=_blank>http://security.gentoo.org/glsa/glsa-200804-15.xml</a> 所有libpng用户都应升级到最新版本: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.26-r1" |
| id | SSV:3166 |
| last seen | 2017-11-19 |
| modified | 2008-04-15 |
| published | 2008-04-15 |
| reporter | Root |
| title | Libpng库未知类型块处理远程代码执行漏洞 |
Statements
| contributor | Joshua Bressers |
| lastmodified | 2009-03-04 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1382 This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 3. Updates for affected versions of Red Hat Enterprise Linux can be found here: http://rhn.redhat.com/errata/RHSA-2009-0333.html |
References
- http://libpng.sourceforge.net/Advisory-1.2.26.txt
- http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00011.html
- http://secunia.com/advisories/29678
- http://secunia.com/advisories/29792
- http://secunia.com/advisories/29957
- http://secunia.com/advisories/29992
- http://secunia.com/advisories/30009
- http://secunia.com/advisories/30157
- http://secunia.com/advisories/30174
- http://secunia.com/advisories/30402
- http://secunia.com/advisories/30486
- http://secunia.com/advisories/31882
- http://secunia.com/advisories/33137
- http://secunia.com/advisories/34152
- http://secunia.com/advisories/34388
- http://secunia.com/advisories/35074
- http://secunia.com/advisories/35258
- http://secunia.com/advisories/35302
- http://secunia.com/advisories/35386
- http://security.gentoo.org/glsa/glsa-200804-15.xml
- http://security.gentoo.org/glsa/glsa-200805-10.xml
- http://security.gentoo.org/glsa/glsa-200812-15.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.541247
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-259989-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020521.1-1
- http://support.apple.com/kb/HT3549
- http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0151
- http://www.debian.org/security/2009/dsa-1750
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:156
- http://www.ocert.org/advisories/ocert-2008-003.html
- http://www.osvdb.org/44364
- http://www.redhat.com/support/errata/RHSA-2009-0333.html
- http://www.securityfocus.com/archive/1/490823/100/0/threaded
- http://www.securityfocus.com/archive/1/491424/100/0/threaded
- http://www.securityfocus.com/archive/1/503912/100/0/threaded
- http://www.securityfocus.com/bid/28770
- http://www.securitytracker.com/id?1019840
- http://www.us-cert.gov/cas/techalerts/TA08-260A.html
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.vmware.com/security/advisories/VMSA-2009-0007.html
- http://www.vupen.com/english/advisories/2008/1225/references
- http://www.vupen.com/english/advisories/2008/2584
- http://www.vupen.com/english/advisories/2009/1297
- http://www.vupen.com/english/advisories/2009/1451
- http://www.vupen.com/english/advisories/2009/1462
- http://www.vupen.com/english/advisories/2009/1560
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41800
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10326
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6275
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00033.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00080.html
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00111.html
- https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00721.html
- https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00951.html
- https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00960.html