Lucene search

K
centosCentOS ProjectCESA-2010:0534
HistoryJul 14, 2010 - 10:40 p.m.

libpng, libpng10 security update

2010-07-1422:40:18
CentOS Project
lists.centos.org
81

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.702

Percentile

98.1%

CentOS Errata and Security Advisory CESA-2010:0534

The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

A memory corruption flaw was found in the way applications, using the
libpng library and its progressive reading method, decoded certain PNG
images. An attacker could create a specially-crafted PNG image that, when
opened, could cause an application using libpng to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2010-1205)

A denial of service flaw was found in the way applications using the libpng
library decoded PNG images that have certain, highly compressed ancillary
chunks. An attacker could create a specially-crafted PNG image that could
cause an application using libpng to consume excessive amounts of memory
and CPU time, and possibly crash. (CVE-2010-0205)

A memory leak flaw was found in the way applications using the libpng
library decoded PNG images that use the Physical Scale (sCAL) extension. An
attacker could create a specially-crafted PNG image that could cause an
application using libpng to exhaust all available memory and possibly crash
or exit. (CVE-2010-2249)

A sensitive information disclosure flaw was found in the way applications
using the libpng library processed 1-bit interlaced PNG images. An attacker
could create a specially-crafted PNG image that could cause an application
using libpng to disclose uninitialized memory. (CVE-2009-2042)

Users of libpng and libpng10 should upgrade to these updated packages,
which contain backported patches to correct these issues. All running
applications using libpng or libpng10 must be restarted for the update to
take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2010-August/079080.html
https://lists.centos.org/pipermail/centos-announce/2010-August/079081.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078943.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078944.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078957.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078958.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078971.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078972.html

Affected packages:
libpng
libpng-devel
libpng10
libpng10-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0534

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.702

Percentile

98.1%