[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 405/04 - Multiple Vulnerabilities in libpng


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 405/04 dated 05.08.04  Time: 14:45  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Multiple Vulnerabilities in libpng


Departmental and company security officers should be aware of the risk posed by a number of recently discovered vulnerabilities in the open source library, libpng, used for rendering PNG (Portable Network Graphic) image files. It should be stressed that these vulnerabilities primarily affect web browsers and graphic aware email clients on UNIX style operating systems such as FreeBSD, Linux and Sun Solaris, and no recent version of Microsoft software is affected. Nevertheless, third-party products running on Microsoft Windows operating systems may be affected. 

One of the vulnerabilities is an easily exploitable stack overflow, which, if parsed in a vulnerable mail client or web browser, could allow arbitrary code to be executed in the context of the user. Due to the prevalence of libpng in browsers and email clients used in UNIX variants, it is NISCC's view that this stack overflow could form the basis of an Internet worm targeting UNIX systems.

NISCC Vulnerability team has verified that the following browsers are vulnerable:

- - Netscape 4.78 on Sun Solaris 9 and Sun Solaris 10

- - Mozilla Firefox 0.9.2 on Microsoft Windows XP SP1

- - Mozilla 1.4 on Sun Solaris 9 and Sun Solaris 10

- - Mozilla 1.7.1 on OpenBSD 3.5

- - Mozilla 1.7.1 running on FreeBSD 4.10-STABLE and FreeBSD 5.2-CURRENT

- - Mozilla 1.7.1 running on Gentoo Linux (and all standard Linux distributions expected to be vulnerable)

In order to mitigate these vulnerabilities it is strongly recommended that system administrators apply patches or upgrades to affected products as soon as practicable (see for example http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2 for the update information on Mozilla). If patches are not available, it may be appropriate to block all PNG file attachments at the system gateway via the mail server or a mail content checker. Users should be advised not to visit untrusted web sites that may contain malicious code.

US-CERT Advisory is attached below :

Hash: SHA1

Multiple Vulnerabilities in libpng

   Original release date: August 4, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

   Applications and systems that use the libpng library.


   Several vulnerabilities exist in the libpng library, the most serious
   of which could allow a remote attacker to execute arbitrary code on an
   affected system.

I. Description

   The Portable Network Graphics (PNG) image format is used as an
   alternative to other image formats such as the Graphics Interchange
   Format (GIF). The libpng is a popular reference library available for
   application developers to support the PNG image format.

   Several vulnerabilities have been reported in the libpng library. Any
   application or system that uses this library may be affected. More
   detailed information is available in the individual vulnerability

   VU#388984 - libpng fails to properly check length of transparency
   chunk (tRNS) data

   A buffer overflow vulnerability has been discovered in the way that
   libpng processes PNG images. This vulnerability could allow a remote
   attacker to execute arbitrary code on a vulnerable system by
   introducing a specially crafted PNG image.
   (Other references: CAN-2004-0597)

   VU#236656 - libpng png_handle_iCCP() NULL pointer dereference

   Under some circumstances, a null pointer may be dereferenced during a
   memory allocation in the png_handle_iCCP() function. As a result, a
   PNG image with particular characteristics could cause the affected
   application to crash. Similar errors are reported to exist in other
   locations within libpng.
   (Other references: CAN-2004-0598)

   VU#160448 - libpng integer overflow in image height processing

   An integer overflow error exists in the handling of PNG image height
   within the png_read_png() function. As a result, a PNG image with
   excessive height may cause an integer overflow during a memory
   allocation operation, which could cause the affected application to
   (Other references: CAN-2004-0599)

   VU#477512 - libpng png_handle_sPLT() integer overflow

   A potential integer overflow error exists during a memory allocation
   operation within the png_handle_sPLT() function. It is unclear what
   practical impact this error might have on applications using libpng.
   (Other references: CAN-2004-0599)

   VU#817368 - libpng png_handle_sBIT() performs insufficient bounds

   A potentially insufficient bounds check exists within the
   png_handle_sBIT() function. A similar error exists in the
   png_handle_hIST() function. While the code that contains these errors
   could potentially permit a buffer overflow to occur during a
   subsequent png_crc_read() operation, it is unclear what practical
   vulnerabilities it might present in applications using libpng.
   (Other references: CAN-2004-0597)

   VU#286464 - libpng contains integer overflows in progressive display
   image reading

   The libpng library provides the ability to display interlaced, or
   progressive display, PNG images. A number of potential integer
   overflow errors exist in libpng's handling of such progressive display
   images. While the code that contains these errors introduces dangerous
   conditions, it is unclear what practical vulnerabilities it might
   present in applications using libpng.
   (Other references: CAN-2004-0599)

II. Impact

   In the case of VU#388984, an attacker with the ability to introduce a
   malformed PNG image to a vulnerable application could cause the
   application to crash or could potentially execute arbitrary code with
   the privileges of the user running the affected application.

   In the case of VU#236656 and VU#160448, an attacker with the ability
   to introduce a malformed PNG image to a vulnerable application could
   cause the application to crash.

   The impacts of the other vulnerabilities described above are unclear.

   A remote attacker could cause an application to crash or potentially
   execute arbitrary code by convincing a victim user to visit a
   malicious web site or view an email message containing a malformed

III. Solution

Apply a patch or upgrade

   Apply the appropriate patch or upgrade as specified by your vendor.
   For vendor-specific responses, please see your vendor's web site or
   the individual vulnerability notes.

   For individuals who rely on the original source of libpng, these
   issues have been resolved in libpng version 1.2.6rc1 (release
   candidate 1).

Appendix A. References

     * Chris Evans Security Advisory 2004.1 -
     * libpng Homepage - <http://libpng.sourceforge.net>
     * Portable Network Graphics (PNG) Homepage -
     * US-CERT Vulnerability Note VU#388984 -
     * US-CERT Vulnerability Note VU#817368 -
     * US-CERT Vulnerability Note VU#286464 -
     * US-CERT Vulnerability Note VU#477512 -
     * US-CERT Vulnerability Note VU#160448 -
     * US-CERT Vulnerability Note VU#236656 -
     * CVE CAN-2004-0597 -
     * CVE CAN-2004-0598 -
     * CVE CAN-2004-0599 -

   US-CERT thanks Chris Evans for researching and reporting these

   Feedback can be directed to the US-CERT Technical Staff.

   The latest copy of this document can be found at:


   Copyright 2004 Carnegie Mellon University. Terms of use

   Revision History

   Aug 4, 2004: Initial release

Version: GnuPG v1.2.1 (GNU/Linux)

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of the NISCC VulTeam and CERT/CC for the information contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

Version: PGP 8.0