CVE-2021-4214

2022-08-2400:00:00

ubuntu.com

heap overflow flaw

libpngs' pngimage.c program

attacker with local network access

specially crafted png file

denial of service

not-affected

firefox

unix

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

19.9%

JSON

A heap overflow flaw was found in libpngs’ pngimage.c program. This flaw
allows an attacker with local network access to pass a specially crafted
PNG file to the pngimage utility, causing an application to crash, leading
to a denial of service.

Bugs

<https://github.com/glennrp/libpng/issues/302>

Notes

Author	Note
mdeslaur	The pngimage utility is only used during build to test well-known inputs. It is not shipped in the resulting binary packages, so while the vulnerable code exists in the libpng1.6 source package it is not used in an insecure way and is not present on end-user systems. Marking as not-affected. Code is not compiled at all in firefox.