libpng invalid sCAL chunk processing vulnerability

Overview

libpng reads uninitialized memory when processing invalid sCAL chunks.

Description

When libpng encounters a sCAL chunk that is empty it will read uninitialized memory. libpng also does not properly handle a sCAL chunk that lacks the terminating zero between the two strings conveyed.

Additional details can be found on the png-mng-implement mailing list archives.

---

Impact

By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.

---

Solution

Apply an Update
This vulnerability is addressed in the following libpng versions: libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55

---

Vendor Information

819894

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

libpng Affected

Notified: July 07, 2011 Updated: July 07, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://libpng.sourceforge.net/&gt;
• http://sourceforge.net/mailarchive/forum.php?thread_name=003101cc2790%24fb5d6e80%24f2184b80%24%40acm.org&forum_name=png-mng-implement

Acknowledgements

Thanks to Glenn Randers-Pehrson for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2011-2692
Severity Metric:	0.65 Date Public: