5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.009 Low
EPSS
Percentile
82.6%
libpng versions 1.6.0 through 1.6.9 contain a denial-of-service vulnerability.
CWE-835: Loop with Unreachable Exit Condition (βInfinite Loopβ) - CVE-2014-0333
Glenn Randers Pehrson of the PNG Development Group reports:
The progressive decoder in libpng16 enters an infinite loop, thus hanging the application, when it encounters a zero-length IDAT chunk. Only libpng-1.6.0 and later are affected, and only applications using the progressive readerβ¦The loop consumes CPU time but no memory or other resources.
Decoding a malformed .png file may cause the target application to become unresponsive.
Apply an Update
The PNG Development Group has released a patch to address this issue for libpng versions 1.6.0 through 1.6.9. The patch can be found at both simplesystems.org and the libpng Sourceforge project.
684412
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 25, 2014
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P |
Temporal | 3.6 | E:F/RL:OF/RC:C |
Environmental | 3.6 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Glenn Randers-Pehrson for reporting this vulnerability.
This document was written by Todd Lewellen.
CVE IDs: | CVE-2014-0333 |
---|---|
Date Public: | 2014-02-25 Date First Published: |