4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.013 Low
EPSS
Percentile
85.5%
Libpng stalls and consumes large quantities of memory while processing certain Portable Network Graphics (PNG) files.
When processing PNG files containing highly compressed ancillary chunks, the png_decompress_chunk() function in libpng can consume large amounts of CPU time and memory. This resource consumption may hang applications that use libpng. More information is available in the PNG Development Group security advisory and supplementary document, Defending Libpng Applications Against Decompression Bombs.
This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service.
Upgrade
The PNG Development Group has released versions 1.4.1, 1.2.43, and 1.0.53, which provide more efficient decompression of ancillary chunks. This update decreases resource consumption associated with chunk decompression, but may not provide a complete defense unless coupled with appropriate memory limits.
Set limits on memory usage and number of cached ancillary chunks
Libpng provides functions to limit memory consumption and number of cached ancillary chunks. Applications that use libpng should use these functions to set appropriate limits. Please see defense #2 in the document Defending Libpng Applications Against Decompression Bombs for more information.
Disable Ancillary Chunk Decoding
Developers who build versions of libpng can choose to ignore ancillary chunks by defining specific preprocessor macros. Please see defense #3 in the document Defending Libpng Applications Against Decompression Bombs for more information.
576029
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 16, 2010 Updated: March 02, 2010
Statement Date: February 25, 2010
Not Affected
Internet Initiative Japan, Inc. has indicated that it is not affected by this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 16, 2010 Updated: February 16, 2010
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 42 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This issue was reported by the PNG Development Group.
This document was written by David Warren.
CVE IDs: | CVE-2010-0205 |
---|---|
Severity Metric: | 0.85 Date Public: |