The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.

Chris Evans has discovered multiple vulnerabilities in libpng, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service).

Chromium is an OpenGL-based shoot them up game with fine graphics. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities :

Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334)

It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12.

In addition, an patch to address several old vulnerabilities has been applied to this build. (CVE-2002-1363, CVE-2004-0421, CVE-2004-0597, CVE-2004-0598, CVE-2004-0599)

Packages have been patched to correct these issues.

Doxygen is a documentation system for C, C++ and IDL. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities :

Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334)

It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12.

Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a typo in png_set_sPLT() that may cause an application using libpng to read out of bounds, resulting in a crash. (CVE-2006-5793)

In addition, an patch to address several old vulnerabilities has been applied to this build. (CVE-2002-1363, CVE-2004-0421, CVE-2004-0597, CVE-2004-0598, CVE-2004-0599)

Packages have been patched to correct these issues.

New Mozilla packages are available for Slackware 9.1, 10.0, and
-current to fix a number of security issues. Slackware 10.0 and
-current were upgraded to Mozilla 1.7.2, and Slackware 9.1 was upgraded to Mozilla 1.4.3. As usual, new versions of Mozilla require new versions of things that link with the Mozilla libraries, so for Slackware 10.0 and -current new versions of epiphany, galeon, gaim, and mozilla-plugins have also been provided. There don't appear to be epiphany and galeon versions that are compatible with Mozilla 1.4.3 and the GNOME in Slackware 9.1, so these are not provided and Epiphany and Galeon will be broken on Slackware 9.1 if the new Mozilla package is installed. Furthermore, earlier versions of Mozilla (such as the 1.3 series) were not fixed upstream, so versions of Slackware earlier than 9.1 will remain vulnerable to these browser issues. If you still use Slackware 9.0 or earlier, you may want to consider removing Mozilla or upgrading to a newer version.

New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues. These issues could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. The PNG library is widely used within the system, so all sites should upgrade to the new libpng package.

New imagemagick packages are available for Slackware 9.1, 10.0, and
-current to fix security issues with PNG images.

The remote host is running Microsoft MSN Messenger.  There is a flaw in this version of MSN Messenger that would allow a remote attacker to potentially execute code on the target host.

The remote host is running Microsoft Media Player Version 9.  There is a flaw in this version of Media Player that would allow a remote attacker to potentially execute code on the target host.  Exploiting this flaw would require that the attacker be able to convince a local user to open an email or browse to a malicious URL.  

Chris Evans discovered several vulnerabilities in libpng :

  - CAN-2004-0597     Multiple buffer overflows exist, including when handling     transparency chunk data, which could be exploited to     cause arbitrary code to be executed when a specially     crafted PNG image is processed

  - CAN-2004-0598

    Multiple NULL pointer dereferences in png_handle_iCPP()     and elsewhere could be exploited to cause an application     to crash when a specially crafted PNG image is processed

  - CAN-2004-0599

    Multiple integer overflows in the png_handle_sPLT(),     png_read_png() functions and elsewhere could be     exploited to cause an application to crash, or     potentially arbitrary code to be executed, when a     specially crafted PNG image is processed

  In addition, a bug related to CAN-2002-1363 was fixed :

  - CAN-2004-0768

    A buffer overflow could be caused by incorrect     calculation of buffer offsets, possibly leading to the     execution of arbitrary code

The remote host is affected by the vulnerability described in GLSA-200408-22 (Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities)

    Mozilla, Galeon, Epiphany, Mozilla Firefox and Mozilla Thunderbird     contain the following vulnerabilities:
    All Mozilla tools use libpng for graphics. This library contains a     buffer overflow which may lead to arbitrary code execution.
    If a user imports a forged Certificate Authority (CA) certificate,     it may overwrite and corrupt the valid CA already installed on the     machine.
    Mozilla, Mozilla Firefox, and other gecko-based browsers also contain a     bug in their caching which may allow the SSL icon to remain visible,     even when the site in question is an insecure site.
  Impact :

    Users of Mozilla, Mozilla Firefox, and other gecko-based browsers are     susceptible to SSL certificate spoofing, a Denial of Service against     legitimate SSL sites, crashes, and arbitrary code execution. Users of     Mozilla Thunderbird are susceptible to crashes and arbitrary code     execution via malicious e-mails.
  Workaround :

    There is no known workaround for most of these vulnerabilities. All     users are advised to upgrade to the latest available version.

The remote host is affected by the vulnerability described in GLSA-200408-03 (libpng: Numerous vulnerabilities)

    libpng contains numerous vulnerabilities including NULL pointer dereference     errors and boundary errors in various functions.
  Impact :

    An attacker could exploit these vulnerabilities to cause programs linked     against the library to crash or execute arbitrary code with the permissions     of the user running the vulnerable program, which could be the root user.
  Workaround :

    There is no known workaround at this time. All users are encouraged to     upgrade to the latest available version.

A number of security vulnerabilities in mozilla are addressed by this update for Mandrakelinux 10.0 users, including a fix for frame spoofing, a fixed popup XPInstall/security dialog bug, a fix for untrusted chrome calls, a fix for SSL certificate spoofing, a fix for stealing secure HTTP Auth passwords via DNS spoofing, a fix for insecure matching of cert names for non-FQDNs, a fix for focus redefinition from another domain, a fix for a SOAP parameter overflow, a fix for text drag on file entry, a fix for certificate DoS, and a fix for lock icon and cert spoofing.

Additionally, mozilla for both Mandrakelinux 9.2 and 10.0 have been rebuilt to use the system libjpeg and libpng which addresses vulnerabilities discovered in libpng (ref: MDKSA-2004:079).

Chris Evans discovered numerous vulnerabilities in the libpng graphics library, including a remotely exploitable stack-based buffer overrun in the png_handle_tRNS function, dangerous code in png_handle_sBIT, a possible NULL pointer crash in png_handle_iCCP (which is also duplicated in multiple other locations), a theoretical integer overflow in png_read_png, and integer overflows during progressive reading.

All users are encouraged to upgrade immediately.

The remote host is missing Security Update 2004-08-09.

libpng is a library used for manipulating graphics files.  Several buffer overflows have been discovered in libpng.  A remote attacker could exploit these vulnerabilities by tricking a user into opening a maliciously crafted PNG file, resulting in the execution of arbitrary code.

Updated libpng packages that fix several issues are now available.

The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files.

During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues.

In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim.

Red Hat would like to thank Chris Evans for discovering these issues.

For users of Red Hat Enterprise Linux 2.1 these patches also include a more complete fix for the out of bounds memory access flaw (CVE-2002-1363).

All users are advised to update to the updated libpng packages which contain backported security patches and are not vulnerable to these issues.

The remote host is missing the patch for the advisory SUSE-SA:2004:023 (libpng).


Several different security vulnerabilities were found in the PNG library which is used by applications to support the PNG image format.

A remote attacker would be able to execute arbitrary code by triggering a buffer overflow due to the incorrect handling of the length of transparency chunk data and in other pathes of image processing.

A special PNG image can be used to cause an application crashing due to NULL pointer dereference in the function png_handle_iCPP() (and other locations). 

Integer overflows were found in png_handle_sPLT(), png_read_png() functions and other locations. These bugs may at least crash an application.

ID	Name	Product	Family	Severity
36897	FreeBSD : libpng stack-based buffer overflow and other code concerns (f9e3e60b-e650-11d8-9b0a-000347a4fa7d)	Nessus	FreeBSD Local Security Checks	critical
24598	Mandrake Linux Security Advisory : chromium (MDKSA-2006:213)	Nessus	Mandriva Local Security Checks	critical
24597	Mandrake Linux Security Advisory : doxygen (MDKSA-2006:212)	Nessus	Mandriva Local Security Checks	critical
18794	Slackware 10.0 / 9.1 / current : Mozilla (SSA:2004-223-01)	Nessus	Slackware Local Security Checks	critical
18781	Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2004-222-01)	Nessus	Slackware Local Security Checks	critical
18749	Slackware 10.0 / 9.1 / current : imagemagick (SSA:2004-223-02)	Nessus	Slackware Local Security Checks	critical
2603	MSN Messenger < 6.2.0205 PNG File Remote Overflow (deprecated)	Nessus Network Monitor	Internet Messengers	high
2602	Microsoft Media Player Version 9 PNG Multiple Vulnerabilities (deprecated)	Nessus Network Monitor	Generic	high
15373	Debian DSA-536-1 : libpng - several vulnerabilities	Nessus	Debian Local Security Checks	critical
14578	GLSA-200408-22 : Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities	Nessus	Gentoo Local Security Checks	critical
14559	GLSA-200408-03 : libpng: Numerous vulnerabilities	Nessus	Gentoo Local Security Checks	critical
14331	Mandrake Linux Security Advisory : mozilla (MDKSA-2004:082)	Nessus	Mandriva Local Security Checks	critical
14328	Mandrake Linux Security Advisory : libpng (MDKSA-2004:079)	Nessus	Mandriva Local Security Checks	critical
14242	Mac OS X Multiple Vulnerabilities (Security Update 2004-08-09)	Nessus	MacOS X Local Security Checks	medium
14213	RHEL 2.1 / 3 : libpng (RHSA-2004:402)	Nessus	Red Hat Local Security Checks	critical
14206	SUSE-SA:2004:023: libpng	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2004-0598

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

high

high

critical

critical

critical

critical

critical

medium

critical

critical