The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of libpng: denial of service via sCAL

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Severity of this threat: 1/4.
Creation date: 08/07/2011.
Références of this weakness: BID-48618, CERTA-2003-AVI-037, CVE-2011-2692, DSA-2287-1, FEDORA-2011-10928, FEDORA-2011-10954, FEDORA-2011-8844, FEDORA-2011-8867, FEDORA-2011-9336, FEDORA-2011-9343, MDVSA-2011:151, openSUSE-SU-2011:0915-1, RHSA-2011:1103-01, RHSA-2011:1104-01, RHSA-2011:1105-01, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10820, VU#819894.

Description of the vulnerability

The libpng library is used by several applications to decode or display PNG images.

The sCAL ("Physical Scale") field of a PNG image defines its relative scale. Its format is:
 - one byte: unit (meter)
 - the X axis multiplier, stored as text (for example "2.5")
 - a null byte
 - the Y axis multiplier, stored as text (for example "2.5")

However, if the sCAL field is empty, or if the null byte is missing, the png_handle_sCAL() function tries to read at an invalid memory address.

An attacker can therefore invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Full Vigil@nce bulletin... (Request your free trial)

This cybersecurity weakness impacts software or systems such as Debian, Fedora, libpng, Mandriva Linux, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this security vulnerability is low.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this vulnerability bulletin.

Solutions for this threat

libpng: version 1.5.4.
The version 1.5.4 is corrected:
  http://www.libpng.org/pub/png/libpng.html

libpng: version 1.4.8.
The version 1.4.8 is corrected:
  http://www.libpng.org/pub/png/libpng.html

libpng: version 1.2.45.
The version 1.2.45 is corrected:
  http://www.libpng.org/pub/png/libpng.html

libpng: version 1.0.55.
The version 1.0.55 is corrected:
  http://www.libpng.org/pub/png/libpng.html

Debian: new libpng packages.
New packages are available:
  libpng 1.2.27-2+lenny5
  libpng 1.2.44-1+squeeze1

Fedora: new libpng10 packages.
New packages are available:
  libpng10-1.0.55-1.fc14
  libpng10-1.0.55-1.fc15

Fedora: new libpng packages.
New packages are available:
  libpng-1.2.46-1.fc14
  libpng-1.2.46-1.fc15

Fedora: new mingw32-libpng packages.
New packages are available:
  mingw32-libpng-1.4.8-1.fc14
  mingw32-libpng-1.4.8-1.fc15

Mandriva: new libpng packages.
New packages are available:
  libpng-1.2.43-1.2mdv2010.2
  libpng-1.2.31-2.4mdvmes5.2

RHEL 4: new libpng packages.
New packages are available:
  libpng-1.2.7-8.el4

RHEL 5: new libpng packages.
New packages are available:
  libpng-1.2.10-7.1.el5_7.5

RHEL 6.1: new libpng packages.
New packages are available:
  libpng-1.2.46-1.el6_1

Solaris: patch for libpng.
A patch is available:
  Solaris 8 :
    contact support
  Solaris 9 :
    contact support
  Solaris 10
    SPARC: 137080-06
    X86: 137081-06

SUSE: new libpng packages.
New packages are available, as indicated in information sources.
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer security workaround. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.