CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.1%
CentOS Errata and Security Advisory CESA-2010:0534
The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.
A memory corruption flaw was found in the way applications, using the
libpng library and its progressive reading method, decoded certain PNG
images. An attacker could create a specially-crafted PNG image that, when
opened, could cause an application using libpng to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2010-1205)
A denial of service flaw was found in the way applications using the libpng
library decoded PNG images that have certain, highly compressed ancillary
chunks. An attacker could create a specially-crafted PNG image that could
cause an application using libpng to consume excessive amounts of memory
and CPU time, and possibly crash. (CVE-2010-0205)
A memory leak flaw was found in the way applications using the libpng
library decoded PNG images that use the Physical Scale (sCAL) extension. An
attacker could create a specially-crafted PNG image that could cause an
application using libpng to exhaust all available memory and possibly crash
or exit. (CVE-2010-2249)
A sensitive information disclosure flaw was found in the way applications
using the libpng library processed 1-bit interlaced PNG images. An attacker
could create a specially-crafted PNG image that could cause an application
using libpng to disclose uninitialized memory. (CVE-2009-2042)
Users of libpng and libpng10 should upgrade to these updated packages,
which contain backported patches to correct these issues. All running
applications using libpng or libpng10 must be restarted for the update to
take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2010-August/079080.html
https://lists.centos.org/pipermail/centos-announce/2010-August/079081.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078943.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078944.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078957.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078958.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078971.html
https://lists.centos.org/pipermail/centos-announce/2010-July/078972.html
Affected packages:
libpng
libpng-devel
libpng10
libpng10-devel
Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0534
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 5 | i386 | libpng | < 1.2.10-7.1.el5_5.3 | libpng-1.2.10-7.1.el5_5.3.i386.rpm |
CentOS | 5 | i386 | libpng-devel | < 1.2.10-7.1.el5_5.3 | libpng-devel-1.2.10-7.1.el5_5.3.i386.rpm |
CentOS | 5 | i386 | libpng | < 1.2.10-7.1.el5_5.3 | libpng-1.2.10-7.1.el5_5.3.i386.rpm |
CentOS | 5 | x86_64 | libpng | < 1.2.10-7.1.el5_5.3 | libpng-1.2.10-7.1.el5_5.3.x86_64.rpm |
CentOS | 5 | i386 | libpng-devel | < 1.2.10-7.1.el5_5.3 | libpng-devel-1.2.10-7.1.el5_5.3.i386.rpm |
CentOS | 5 | x86_64 | libpng-devel | < 1.2.10-7.1.el5_5.3 | libpng-devel-1.2.10-7.1.el5_5.3.x86_64.rpm |
CentOS | 4 | i386 | libpng | < 1.2.7-3.el4_8.3 | libpng-1.2.7-3.el4_8.3.i386.rpm |
CentOS | 4 | i386 | libpng-devel | < 1.2.7-3.el4_8.3 | libpng-devel-1.2.7-3.el4_8.3.i386.rpm |
CentOS | 4 | i386 | libpng | < 1.2.7-3.el4_8.3 | libpng-1.2.7-3.el4_8.3.i386.rpm |
CentOS | 4 | x86_64 | libpng | < 1.2.7-3.el4_8.3 | libpng-1.2.7-3.el4_8.3.x86_64.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.1%