libpng Buffer Offset Calculation Overflow May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1010871 |
|
SecurityTracker URL: http://securitytracker.com/id/1010871
|
|
CVE Reference:
CAN-2004-0768
(Links to External Site)
|
Date: Aug 5 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Prior to 1.2.6rc1, 1.0.16rc1
|
Description:
A buffer overflow vulnerability was reported in libpng. A remote user may be able to cause arbitrary code to be executed by an application using libpng.
The vendor reported that libpng contains a buffer overflow vulnerability similar to that reported in CVE CAN-2002-1363. The software does not properly calculate buffer offsets, which may allow for remote code execution.
The vendor has indicate that this flaw is "quite serious."
|
Impact:
A remote or local user may be able to cause arbitrary code to be executed by an application using libpng. The specific impact depends on the application using libpng.
|
Solution:
The vendor has issued a fixed version (libpng 1.2.6rc1, libpng-1.0.16rc1), available at:
http://www.libpng.org/pub/png/libpng.html
|
Vendor URL: www.libpng.org/pub/png/libpng.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 05 Aug 2004 01:53:49 -0400
Subject: CAN-2004-0768
|
Debian reported that libpng contains a buffer overflow vulnerability similar to that
reported in CVE CAN-2002-1363. The software does not properly calculate buffer offsets,
which may allow for remote code execution.
CVE: CAN-2004-0768
|
|
