libpng fails to properly check length of transparency chunk (tRNS) data

2004-08-04T00:00:00
ID VU:388984
Type cert
Reporter CERT
Modified 2005-06-14T00:00:00

Description

Overview

The Portable Network Graphics library (libpng) contains a remotely exploitable vulnerability, which could lead to arbitrary code execution on an affected system.

Description

The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.

According to the PNG Chunk Specification, PNG images contain a series of chunks including the IHDR, IDAT, and IEND chunks. In addition to these required chunks, a PNG image may contain one or more optional chunks. The optional tRNS chunk is responsible for specifying images that use simple transparency. There are several components of the tRNS chunk. If the PLTE block is not present in a tRNS chunk, a logic error in the code responsible for validating the data segments of the tRNS chunk may lead to a buffer overflow condition.

The buffer overflow vulnerability occurs in the png_handle_tRNS() function, which is responsible for ensuring that PNG images are formatted properly. When processing malformed PNG images, this function may fail to properly validate the length of the transparency chunk (tRNS) data.

Multiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways.

Please note that this vulnerability is known to exist in Microsoft Windows Messenger and MSN Messenger. Please see MS05-009 for more details. For information regarding how this vulnerability affects Microsoft Internet Explorer, refer to MS05-025.


Impact

By introducing a malformed PNG image to a vulnerable application, a remote attacker could cause the application to crash or potentially execute arbitrary code with the privileges of the current user.


Solution

Apply a patch from the vendor

Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Apple Computer Inc.| | 16 Jul 2004| 17 May 2005
Gentoo| | -| 20 Aug 2004
libpng.org| | 16 Jul 2004| 04 Aug 2004
Microsoft Corporation| | 16 Jul 2004| 14 Jun 2005
MontaVista Software| | 16 Jul 2004| 04 Aug 2004
OpenPKG| | -| 20 Aug 2004
Slackware| | -| 20 Aug 2004
SuSE Inc.| | 16 Jul 2004| 27 Jul 2004
Trustix Secure Linux| | -| 20 Aug 2004
Juniper Networks| | 16 Jul 2004| 27 Jul 2004
NEC Corporation| | 16 Jul 2004| 02 Aug 2004
BSDI| | -| 23 Jul 2004
Conectiva| | -| 23 Jul 2004
Cray Inc.| | -| 23 Jul 2004
Debian| | -| 23 Jul 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://scary.beasts.org/security/CESA-2004-001.txt>
  • <http://www.libpng.org/pub/png/>
  • <http://libpng.sourceforge.net/>
  • <http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html>
  • <http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx>

Credit

Thanks to Chris Evans for reporting this vulnerability.

This document was written by Chad Dougherty and Damon Morda.

Other Information

  • CVE IDs: CAN-2004-0597
  • Date Public: 04 Aug 2004
  • Date First Published: 04 Aug 2004
  • Date Last Updated: 14 Jun 2005
  • Severity Metric: 20.11
  • Document Revision: 37