VU#388984 - libpng fails to properly check length of transparency chunk (tRNS) data
Notes
Report a Vulnerability
Disclosure Guidance
VINCE
Carnegie Mellon University
Software Engineering Institute
CERT Coordination Center
Notes
Report a Vulnerability
Disclosure Guidance
VINCE
libpng fails to properly check length of transparency chunk (tRNS) data
Vulnerability Note VU#388984
Original Release Date: 2004-08-04 | Last Revised: 2005-06-14
Overview
The Portable Network Graphics library (
libpng
) contains a remotely exploitable vulnerability, which could lead to arbitrary code execution on an affected system.
Description
The Portable Network Graphics (
PNG
) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.
According to the PNG
Chunk Specification
, PNG images contain a series of chunks including the IHDR, IDAT, and IEND chunks. In addition to these required chunks, a PNG image may contain one or more optional chunks. The optional tRNS chunk is responsible for specifying images that use simple transparency. There are several components of the tRNS chunk. If the PLTE block is not present in a tRNS chunk, a logic error in the code responsible for validating the data segments of the tRNS chunk may lead to a buffer overflow condition.
The buffer overflow vulnerability occurs in the
png_handle_tRNS()
function, which is responsible for ensuring that PNG images are formatted properly. When processing malformed PNG images, this function may fail to properly validate the length of the transparency chunk (tRNS) data.
Multiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways.
Please note that this vulnerability is known to exist in Microsoft Windows Messenger and MSN Messenger. Please see
MS05-009
for more details. For information regarding how this vulnerability affects Microsoft Internet Explorer, refer to
MS05-025
Impact
By introducing a malformed PNG image to a vulnerable application, a remote attacker could cause the application to crash or potentially execute arbitrary code with the privileges of the current user.
Solution
Apply a patch from the vendor
Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.
Vendor Information
Expand all
Apple Computer Inc.
Affected
Notified: July 16, 2004
Updated: May 17, 2005
Status
Affected
Vendor Statement
APPLE-SA-2004-09-09 Mac OS X 10.3.5
Mac OS X 10.3.5 is now available and delivers security enhancements
for the following components:
Component: libpng (Portable Network Graphics)
CVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597,
CAN-2004-0598, CAN-2004-0599
Impact: Malicious png images can cause application crashes and could
execute arbitrary code
Description: A number of buffer overflows, null pointer dereferences
and integer overflows have been discovered in the reference library
for reading and writing PNG images. These vulnerabilities have been
corrected in libpng which is used by the CoreGraphics and AppKit
frameworks in Mac OS X. After installing this update, applications
that use the PNG image format via these frameworks will be protected
against these flaws.
Note: The libpng security fixes are also available separately for Mac
OS X 10.3.4 and Mac OS X 10.2.8 via Security Update 2004-08-09.
==================
Component: Safari
CVE ID: CAN-2004-0743
Impact: In a special situation, navigation using the forward/backward
buttons can re-send form data to a GET url.
Description: This is for a situation where a web form is sent to a
server using a POST method which issues an HTTP redirect to a GET
method url. Using the forward/backward buttons will cause Safari to
re-POST the form data to the GET url. Safari has been modified so
that in this situation forward/backward navigation will result in only
a GET method.
==================
Component: TCP/IP Networking
CVE ID: CAN-2004-0744
Impact: Maliciously crafted IP fragments can use too many system
resources preventing normal network operation.
Description: The "Rose Attack" describes a specially constructed
sequence of IP fragments designed to consume system resources. The
TCP/IP implementation has been modified to limit the resources
consumed and prevents this denial of service attack.
================================================
Mac OS X 10.3.5 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
Information will also be posted to the Apple Product Security
web site:
This message is signed with Apple's Product Security PGP key,
and details are available at:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Gentoo
Affected
Updated: August 20, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Microsoft Corporation
Affected
Notified: July 16, 2004
Updated: June 14, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see
MS05-009
and
MS05-025
for information concerning this vulnerability and its remediation.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
MontaVista Software
Affected
Notified: July 16, 2004
Updated: August 04, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
OpenPKG
Affected
Updated: August 20, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Slackware
Affected
Updated: August 20, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
SuSE Inc.
Affected
Notified: July 16, 2004
Updated: July 27, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Trustix Secure Linux
Affected
Updated: August 20, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
libpng.org
Affected
Notified: July 16, 2004
Updated: August 04, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
This issue has been resolved in libpng version
1.2.6rc1
(release candidate 1). An older version of libpng containing the backported fixes,
1.0.16rc1
, is also available.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Juniper Networks
Not Affected
Notified: July 16, 2004
Updated: July 27, 2004
Status
Not Affected
Vendor Statement
Juniper Networks products are not susceptible to this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
NEC Corporation
Not Affected
Notified: July 16, 2004
Updated: August 02, 2004
Status
Not Affected
Vendor Statement
sent on August 2, 2004
[Software Products]
* E-mail client software "WeMail"
(shareware developped by NEC Communication Systems,Ltd.)
- is NOT vulnerable.
It does not include any code originated from libPNG.
* We continue to try to investigate other products possibly affected
by these vulnerabilities.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
BSDI
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Conectiva
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Cray Inc.
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Debian
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Engarde
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
FreeBSD
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Fujitsu
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Hewlett-Packard Company
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Hitachi
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
IBM
Unknown
Notified: July 16, 2004
Updated: July 30, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
IBM eServer
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
IBM-zSeries
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
IMmunix
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Ingrian Networks
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
MandrakeSoft
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
NETBSD
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Nokia
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Novell
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Openwall GNU/*/Linux
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Red Hat Inc.
Unknown
Notified: July 16, 2004
Updated: July 27, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
SGI
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
ScO
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Sequent
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Sony Corporation
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Sun Microsystems Inc.
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
TurboLinux
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
Wind River Systems Inc.
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
eMC Corporation
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
uNisys
Unknown
Updated: July 23, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email
View all 40 vendors
View less vendors
CVSS Metrics
Group
Score
Vector
Base
Temporal
Environmental
References
Acknowledgements
Thanks to Chris Evans for reporting this vulnerability.
This document was written by Chad Dougherty and Damon Morda.
Other Information
CVE IDs:
CVE-2004-0597
Severity Metric:
20.11
Date Public:
2004-08-04
Date First Published:
2004-08-04
Date Last Updated:
2005-06-14 20:58 UTC
Document Revision:
39
About vulnerability notes
Contact us about this vulnerability
Provide a vendor statement
Sponsored by
CISA.
Download PGP Key
Read CERT/CC Blog
Learn about Vulnerability Analysis
Carnegie Mellon University
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213-2612
412-268-5800
Office Locations
Additional Sites Directory
Legal
Privacy Notice
CMU Ethics Hotline
www.sei.cmu.edu
Contact SEI
Contact CERT/CC
412-268-5800
cert@cert.org
US