SuSE 10 Security Update : libpng (ZYPP Patch Number 2325)

2007-12-13T00:00:00
ID SUSE_LIBPNG-2325.NASL
Type nessus
Reporter Tenable
Modified 2014-10-28T00:00:00

Description

The sPLT chunk handling in libpng was incorrect and a handcrafted PNG file could be use to cause an out-of-bounds read, effectively crashing the PNG viewer or webbrowser. (CVE-2006-5793)

Additionally a 2 byte stackoverflow was fixed which we do not believe to be exploitable. It will cause an abort of the viewer or webbrowser in SUSE Linux 10.0 and newer due to string overflow checking. (CVE-2006-3334)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The text description of this plugin is (C) Novell, Inc.
#

include("compat.inc");

if (description)
{
  script_id(29507);
  script_version ("$Revision: 1.12 $");
  script_cvs_date("$Date: 2014/10/28 10:42:46 $");

  script_cve_id("CVE-2006-3334", "CVE-2006-5793");

  script_name(english:"SuSE 10 Security Update : libpng (ZYPP Patch Number 2325)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 10 host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The sPLT chunk handling in libpng was incorrect and a handcrafted PNG
file could be use to cause an out-of-bounds read, effectively crashing
the PNG viewer or webbrowser. (CVE-2006-5793)

Additionally a 2 byte stackoverflow was fixed which we do not believe
to be exploitable. It will cause an abort of the viewer or webbrowser
in SUSE Linux 10.0 and newer due to string overflow checking.
(CVE-2006-3334)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2006-3334.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2006-5793.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2325.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2014 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");


flag = 0;
if (rpm_check(release:"SLED10", sp:0, reference:"libpng-1.2.8-19.5")) flag++;
if (rpm_check(release:"SLED10", sp:0, reference:"libpng-devel-1.2.8-19.5")) flag++;
if (rpm_check(release:"SLED10", sp:0, cpu:"x86_64", reference:"libpng-32bit-1.2.8-19.5")) flag++;
if (rpm_check(release:"SLED10", sp:0, cpu:"x86_64", reference:"libpng-devel-32bit-1.2.8-19.5")) flag++;
if (rpm_check(release:"SLES10", sp:0, reference:"libpng-1.2.8-19.5")) flag++;
if (rpm_check(release:"SLES10", sp:0, reference:"libpng-devel-1.2.8-19.5")) flag++;
if (rpm_check(release:"SLES10", sp:0, cpu:"x86_64", reference:"libpng-32bit-1.2.8-19.5")) flag++;
if (rpm_check(release:"SLES10", sp:0, cpu:"x86_64", reference:"libpng-devel-32bit-1.2.8-19.5")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else exit(0, "The host is not affected.");