Lucene search

[email protected]CVE-2010-0205

HistoryMar 03, 2010 - 7:30 p.m.

CVE-2010-0205

2010-03-0319:30:00

CWE-400

[email protected]

web.nvd.nist.gov

cve-2010-0205

libpng

denial of service

memory consumption

cpu consumption

application hang

decompression bomb

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

8.8 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.7%

JSON

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a “decompression bomb” attack.

Affected configurations

NVD

Node

libpnglibpngRange1.0.0–1.0.53

libpnglibpngRange1.2.0–1.2.43

libpnglibpngRange1.4.0–1.4.1

Node

applemac_os_xRange<10.6.5

Node

fedoraprojectfedoraMatch11

fedoraprojectfedoraMatch12

fedoraprojectfedoraMatch13

Node

opensuseopensuseMatch11.0

opensuseopensuseMatch11.1

opensuseopensuseMatch11.2

suselinux_enterprise_serverMatch9

suselinux_enterprise_serverMatch10sp3

suselinux_enterprise_serverMatch11-

suselinux_enterprise_serverMatch11sp1

Node

canonicalubuntu_linuxMatch6.06

canonicalubuntu_linuxMatch8.04-

canonicalubuntu_linuxMatch8.10

canonicalubuntu_linuxMatch9.04

canonicalubuntu_linuxMatch9.10

Node

debiandebian_linuxMatch5.0

debiandebian_linuxMatch6.0

CPENameOperatorVersion
libpng:libpnglibpnglt1.0.53
libpng:libpnglibpnglt1.2.43
libpng:libpnglibpnglt1.4.1

CPE	Name	Operator	Version
libpng:libpng	libpng	lt	1.0.53
libpng:libpng	libpng	lt	1.2.43
libpng:libpng	libpng	lt	1.4.1

References

libpng.sourceforge.net/ADVISORY-1.4.1.html

libpng.sourceforge.net/decompression_bombs.html

lists.apple.com/archives/security-announce/2010//Nov/msg00000.html

lists.fedoraproject.org/pipermail/package-announce/2010-March/037237.html

lists.fedoraproject.org/pipermail/package-announce/2010-March/037355.html

lists.fedoraproject.org/pipermail/package-announce/2010-March/037364.html

lists.fedoraproject.org/pipermail/package-announce/2010-March/037607.html

lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html

lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html

lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

lists.vmware.com/pipermail/security-announce/2010/000105.html

osvdb.org/62670

secunia.com/advisories/38774

secunia.com/advisories/39251

secunia.com/advisories/41574

support.apple.com/kb/HT4435

ubuntu.com/usn/usn-913-1

www.debian.org/security/2010/dsa-2032

www.kb.cert.org/vuls/id/576029

www.mandriva.com/security/advisories?name=MDVSA-2010:063

www.mandriva.com/security/advisories?name=MDVSA-2010:064

www.securityfocus.com/bid/38478

www.securitytracker.com/id?1023674

www.vmware.com/security/advisories/VMSA-2010-0014.html

www.vupen.com/english/advisories/2010/0517

www.vupen.com/english/advisories/2010/0605

www.vupen.com/english/advisories/2010/0626

www.vupen.com/english/advisories/2010/0637

www.vupen.com/english/advisories/2010/0667

www.vupen.com/english/advisories/2010/0682

www.vupen.com/english/advisories/2010/0686

www.vupen.com/english/advisories/2010/0847

www.vupen.com/english/advisories/2010/1107

www.vupen.com/english/advisories/2010/2491

exchange.xforce.ibmcloud.com/vulnerabilities/56661

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

8.8 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.7%

JSON

Related for CVE-2010-0205

nessus26 openvas37 fedora8 freebsd1 prion1 cert1 ubuntucve1 veracode1 securityvulns2 altlinux2 cvelist1 nvd1 ubuntu1 osv1 debian2 gentoo1 oraclelinux1 centos1 redhat1 kaspersky1 vmware2