According to the versions of the libpng package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.(CVE-2011-3048)
The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.(CVE-2011-2692)
It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library.(CVE-2015-8472)
The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.(CVE-2011-2691)
Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.(CVE-2015-8540)
Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.(CVE-2011-3026)
An array-indexing error was discovered in the png_convert_to_rfc1123() function of libpng. An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image.(CVE-2015-7981)
Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.(CVE-2011-2690)
The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.(CVE-2011-2501)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124924);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2011-2501",
"CVE-2011-2690",
"CVE-2011-2691",
"CVE-2011-2692",
"CVE-2011-3026",
"CVE-2011-3048",
"CVE-2015-7981",
"CVE-2015-8472",
"CVE-2015-8540"
);
script_bugtraq_id(
48474,
48618,
48660,
52031,
52049,
52830
);
script_name(english:"EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the libpng package installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- The png_set_text_2 function in pngset.c in libpng 1.0.x
before 1.0.59, 1.2.x before 1.2.49, 1.4.x before
1.4.11, and 1.5.x before 1.5.10 allows remote attackers
to cause a denial of service (crash) or execute
arbitrary code via a crafted text chunk in a PNG image
file, which triggers a memory allocation failure that
is not properly handled, leading to a heap-based buffer
overflow.(CVE-2011-3048)
- The png_handle_sCAL function in pngrutil.c in libpng
1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before
1.4.8, and 1.5.x before 1.5.4 does not properly handle
invalid sCAL chunks, which allows remote attackers to
cause a denial of service (memory corruption and
application crash) or possibly have unspecified other
impact via a crafted PNG image that triggers the
reading of uninitialized memory.(CVE-2011-2692)
- It was discovered that the png_get_PLTE() and
png_set_PLTE() functions of libpng did not correctly
calculate the maximum palette sizes for bit depths of
less than 8. In case an application tried to use these
functions in combination with properly calculated
palette sizes, this could lead to a buffer overflow or
out-of-bounds reads. An attacker could exploit this to
cause a crash or potentially execute arbitrary code by
tricking an unsuspecting user into processing a
specially crafted PNG image. However, the exact impact
is dependent on the application using the
library.(CVE-2015-8472)
- The png_err function in pngerror.c in libpng 1.0.x
before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8,
and 1.5.x before 1.5.4 makes a function call using a
NULL pointer argument instead of an empty-string
argument, which allows remote attackers to cause a
denial of service (application crash) via a crafted PNG
image.(CVE-2011-2691)
- Integer underflow in the png_check_keyword function in
pngwutil.c in libpng 0.90 through 0.99, 1.0.x before
1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x
before 1.4.19, and 1.5.x before 1.5.26 allows remote
attackers to have unspecified impact via a space
character as a keyword in a PNG image, which triggers
an out-of-bounds read.(CVE-2015-8540)
- Integer overflow in libpng, as used in Google Chrome
before 17.0.963.56, allows remote attackers to cause a
denial of service or possibly have unspecified other
impact via unknown vectors that trigger an integer
truncation.(CVE-2011-3026)
- An array-indexing error was discovered in the
png_convert_to_rfc1123() function of libpng. An
attacker could possibly use this flaw to cause an
out-of-bounds read by tricking an unsuspecting user
into processing a specially crafted PNG
image.(CVE-2015-7981)
- Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x
before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before
1.5.4, when used by an application that calls the
png_rgb_to_gray function but not the png_set_expand
function, allows remote attackers to overwrite memory
with an arbitrary amount of data, and possibly have
unspecified other impact, via a crafted PNG
image.(CVE-2011-2690)
- The png_format_buffer function in pngerror.c in libpng
1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before
1.4.8, and 1.5.x before 1.5.4 allows remote attackers
to cause a denial of service (application crash) via a
crafted PNG image that triggers an out-of-bounds read
during the copying of error-message data. NOTE: this
vulnerability exists because of a CVE-2004-0421
regression. NOTE: this is called an off-by-one error by
some sources.(CVE-2011-2501)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1421
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d1d8567b");
script_set_attribute(attribute:"solution", value:
"Update the affected libpng packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libpng");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["libpng-1.5.13-7.1.h2.eulerosv2r7"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2501
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2690
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2691
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2692
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7981
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8472
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8540
www.nessus.org/u?d1d8567b