Detections
Analytics
RHEL 4 / 5 : libpng (RHSA-2010:0534)
critical Nessus Plugin ID 47876
Language:
Synopsis
The remote Red Hat host is missing one or more security updates for libpng.Description
The remote Redhat Enterprise Linux 4 / 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2010:0534 advisory.The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files.
A memory corruption flaw was found in the way applications, using the libpng library and its progressive reading method, decoded certain PNG images. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-1205)
A denial of service flaw was found in the way applications using the libpng library decoded PNG images that have certain, highly compressed ancillary chunks. An attacker could create a specially-crafted PNG image that could cause an application using libpng to consume excessive amounts of memory and CPU time, and possibly crash. (CVE-2010-0205)
A memory leak flaw was found in the way applications using the libpng library decoded PNG images that use the Physical Scale (sCAL) extension. An attacker could create a specially-crafted PNG image that could cause an application using libpng to exhaust all available memory and possibly crash or exit. (CVE-2010-2249)
A sensitive information disclosure flaw was found in the way applications using the libpng library processed 1-bit interlaced PNG images. An attacker could create a specially-crafted PNG image that could cause an application using libpng to disclose uninitialized memory. (CVE-2009-2042)
Users of libpng and libpng10 should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libpng or libpng10 must be restarted for the update to take effect.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the RHEL libpng package based on the guidance in RHSA-2010:0534.See Also
http://www.nessus.org/u?7b030f3a
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=504782
https://bugzilla.redhat.com/show_bug.cgi?id=566234
https://bugzilla.redhat.com/show_bug.cgi?id=608238
Plugin Details
Severity: Critical
ID: 47876
File Name: redhat-RHSA-2010-0534.nasl
Version: 1.24
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 7/28/2010
Updated: 3/20/2025
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.4
Vendor
Vendor Severity: Important
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2010-1205
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:libpng, p-cpe:/a:redhat:enterprise_linux:libpng10-devel, cpe:/o:redhat:enterprise_linux:3, cpe:/o:redhat:enterprise_linux:4, p-cpe:/a:redhat:enterprise_linux:libpng-devel, p-cpe:/a:redhat:enterprise_linux:libpng10
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 7/14/2010
Vulnerability Publication Date: 6/12/2009
Reference Information
CVE: CVE-2009-2042, CVE-2010-0205, CVE-2010-1205, CVE-2010-2249