CVE-2007-5269

2007-10-0800:00:00

ubuntu.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.208 Low

EPSS

Percentile

96.3%

JSON

Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21
allow remote attackers to cause a denial of service (crash) via crafted (1)
pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt
(png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT
(png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read
operations.

Notes

Author	Note
jdstrand	assigned medium because of wide install base looking at diff between 1.2.20 and 1.2.21, it appears that Ubuntu is affected, though Debian thinks not. After weeding out the changes, there are 9 chunks over pngpread.c and pngrutil.c that appear to be for this CVE (the original patch improperly used png_strncpy, where our versions have png_strcpy). TODO: get a reproducer and/or verify png_strcpy is really not vulnerable. after talking on IRC, Debian agreed they are in fact affected 2007/10/24 RH update: https://rhn.redhat.com/errata/RHSA-2007-0992.html RH has added code to pngrtran.c that was not included upstream. Sticking with changes to pngpread.c and pngrutil.c until upstream can provide a reproducer.

Author

Note

jdstrand

assigned medium because of wide install base looking at diff between 1.2.20 and 1.2.21, it appears that Ubuntu is affected, though Debian thinks not. After weeding out the changes, there are 9 chunks over pngpread.c and pngrutil.c that appear to be for this CVE (the original patch improperly used png_strncpy, where our versions have png_strcpy). TODO: get a reproducer and/or verify png_strcpy is really not vulnerable. after talking on IRC, Debian agreed they are in fact affected 2007/10/24 RH update: https://rhn.redhat.com/errata/RHSA-2007-0992.html RH has added code to pngrtran.c that was not included upstream. Sticking with changes to pngpread.c and pngrutil.c until upstream can provide a reproducer.

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchlibpng< 1.2.8rel-5ubuntu0.3UNKNOWN
ubuntu6.10noarchlibpng< 1.2.8rel-5.1ubuntu0.3UNKNOWN
ubuntu7.04noarchlibpng< 1.2.15~beta5-1ubuntu1.1UNKNOWN
ubuntu7.10noarchlibpng< 1.2.15~beta5-2ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	libpng	< 1.2.8rel-5ubuntu0.3	UNKNOWN
ubuntu	6.10	noarch	libpng	< 1.2.8rel-5.1ubuntu0.3	UNKNOWN
ubuntu	7.04	noarch	libpng	< 1.2.15~beta5-1ubuntu1.1	UNKNOWN
ubuntu	7.10	noarch	libpng	< 1.2.15~beta5-2ubuntu0.1	UNKNOWN