Vulnerabilities > CVE-2016-10087 - NULL Pointer Dereference vulnerability in Libpng
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-365-01.NASL description New libpng packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 96179 published 2017-01-03 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96179 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libpng (SSA:2016-365-01) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2016-365-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(96179); script_version("$Revision: 3.2 $"); script_cvs_date("$Date: 2017/09/21 13:38:14 $"); script_cve_id("CVE-2016-10087"); script_xref(name:"SSA", value:"2016-365-01"); script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libpng (SSA:2016-365-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New libpng packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.567619 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2a599f8f" ); script_set_attribute( attribute:"solution", value:"Update the affected libpng package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:libpng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"13.0", pkgname:"libpng", pkgver:"1.2.57", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"libpng", pkgver:"1.2.57", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.1", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.37", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"i486", pkgnum:"1_slack13.37")) flag++; if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"x86_64", pkgnum:"1_slack13.37")) flag++; if (slackware_check(osver:"14.0", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"libpng", pkgver:"1.4.20", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"libpng", pkgver:"1.6.27", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"libpng", pkgver:"1.6.27", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"libpng", pkgver:"1.6.27", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"libpng", pkgver:"1.6.27", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1951.NASL description According to the versions of the libpng package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.(CVE-2016-10087) - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2017-12652) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128954 published 2019-09-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128954 title EulerOS Virtualization for ARM 64 3.0.2.0 : libpng (EulerOS-SA-2019-1951) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-441.NASL description This update for libpng12 fixes the following issues : Security issues fixed : - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-04-06 plugin id 99211 published 2017-04-06 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99211 title openSUSE Security Update : libpng12 (openSUSE-2017-441) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1810.NASL description According to the version of the libpng packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.(CVE-2016-10087) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-08-23 plugin id 128102 published 2019-08-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128102 title EulerOS 2.0 SP5 : libpng (EulerOS-SA-2019-1810) NASL family Fedora Local Security Checks NASL id FEDORA_2016-1A7E14D084.NASL description This update fixes an old NULL pointer dereference bug in png_set_text_2() discovered and patched by Patrick Keshishian (CVE-2016-10087). The potential last seen 2020-06-05 modified 2017-01-10 plugin id 96350 published 2017-01-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96350 title Fedora 24 : libpng10 (2016-1a7e14d084) NASL family Fedora Local Security Checks NASL id FEDORA_2017-BAD9942E42.NASL description - Update to upstream release **1.2.57**. - Fixes **CVE-2016-10087**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-04-17 plugin id 99416 published 2017-04-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99416 title Fedora 25 : libpng12 (2017-bad9942e42) NASL family Fedora Local Security Checks NASL id FEDORA_2016-A4B06A036B.NASL description This update fixes an old NULL pointer dereference bug in png_set_text_2() discovered and patched by Patrick Keshishian (CVE-2016-10087). The potential last seen 2020-06-05 modified 2017-01-10 plugin id 96353 published 2017-01-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96353 title Fedora 25 : libpng10 (2016-a4b06a036b) NASL family Fedora Local Security Checks NASL id FEDORA_2017-1D305FA070.NASL description - Update to upstream release **1.2.57**. - Fixes **CVE-2016-10087**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101582 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101582 title Fedora 26 : libpng12 (2017-1d305fa070) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3712-1.NASL description Patrick Keshishian discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10087) Thuan Pham discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-13785). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111040 published 2018-07-12 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111040 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : libpng, libpng1.6 vulnerabilities (USN-3712-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1117.NASL description According to the version of the libpng packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.(CVE-2016-10087) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-04-02 plugin id 123591 published 2019-04-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123591 title EulerOS 2.0 SP2 : libpng (EulerOS-SA-2019-1117) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0853-1.NASL description This update for libpng16 fixes the following issues: Security issues fixed : - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99085 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99085 title SUSE SLED12 / SLES12 Security Update : libpng16 (SUSE-SU-2017:0853-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-443.NASL description This update for libpng16 fixes the following issues : Security issues fixed : - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-04-06 plugin id 99213 published 2017-04-06 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99213 title openSUSE Security Update : libpng16 (openSUSE-2017-443) NASL family Fedora Local Security Checks NASL id FEDORA_2017-84BC8AC268.NASL description - Update to upstream release **1.2.57**. - Fixes **CVE-2016-10087**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-04-17 plugin id 99412 published 2017-04-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99412 title Fedora 24 : libpng12 (2017-84bc8ac268) NASL family Fedora Local Security Checks NASL id FEDORA_2017-66FD940572.NASL description - Update to upstream release **1.5.28**. - Fixes **CVE-2016-10087**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-04-13 plugin id 99319 published 2017-04-13 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99319 title Fedora 24 : libpng15 (2017-66fd940572) NASL family Fedora Local Security Checks NASL id FEDORA_2017-CF1944F480.NASL description - Update to upstream release **1.5.28**. - Fixes **CVE-2016-10087**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-04-13 plugin id 99322 published 2017-04-13 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99322 title Fedora 25 : libpng15 (2017-cf1944f480) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0860-1.NASL description This update for libpng12 fixes the following issues: Security issues fixed : - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99088 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99088 title SUSE SLED12 / SLES12 Security Update : libpng12 (SUSE-SU-2017:0860-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0950-1.NASL description This update for libpng15 fixes the following issues: Security issues fixed : - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99243 published 2017-04-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99243 title SUSE SLED12 / SLES12 Security Update : libpng15 (SUSE-SU-2017:0950-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-477.NASL description This update for libpng15 fixes the following issues : Security issues fixed : - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) This update was imported from the SUSE:SLE-12-SP1:Update update project. last seen 2020-06-05 modified 2017-04-18 plugin id 99428 published 2017-04-18 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99428 title openSUSE Security Update : libpng15 (openSUSE-2017-477) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0901-1.NASL description This update for libpng12-0 fixes the following issues: Security issues fixed : - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99165 published 2017-04-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99165 title SUSE SLES11 Security Update : libpng12-0 (SUSE-SU-2017:0901-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1307.NASL description According to the version of the libpng packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.(CVE-2016-10087) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-05-01 plugin id 124434 published 2019-05-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124434 title EulerOS 2.0 SP3 : libpng (EulerOS-SA-2019-1307) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-74.NASL description The remote host is affected by the vulnerability described in GLSA-201701-74 (libpng: Remote execution of arbitrary code) A NULL pointer dereference was discovered in libpng in the png_push_save_buffer function. In order to be vulnerable, an application has to load a text chunk into the PNG structure, then delete all text, then add another text chunk to the same PNG structure, which seems to be an unlikely sequence, but it is possible. Impact : A remote attacker, by enticing a user to process a specially crafted PNG file, could execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96860 published 2017-01-30 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96860 title GLSA-201701-74 : libpng: Remote execution of arbitrary code
References
- http://www.openwall.com/lists/oss-security/2016/12/30/4
- http://www.openwall.com/lists/oss-security/2016/12/29/2
- http://www.securityfocus.com/bid/95157
- https://security.gentoo.org/glsa/201701-74
- https://usn.ubuntu.com/3712-2/
- https://usn.ubuntu.com/3712-1/
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E