National Cyber-Alert System

Vulnerability Summary for CVE-2008-3964

Overview

Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

Vendor Statments (disclaimer)

Official Statement from Red Hat (01/01/1900)

Not vulnerable. These issues did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Vulnerability Note: VU#889484

Name: VU#889484

Hyperlink:http://www.kb.cert.org/vuls/id/889484

External Source: CONFIRM

Name: http://sourceforge.net/project/shownotes.php?release_id=624518

Type: Patch Information

Hyperlink:http://sourceforge.net/project/shownotes.php?release_id=624518

External Source: XF

Name: libpng-pngpushreadztxt-dos(44928)

Hyperlink:http://xforce.iss.net/xforce/xfdb/44928

External Source: VUPEN

Name: ADV-2009-1560

Hyperlink:http://www.vupen.com/english/advisories/2009/1560

External Source: VUPEN

Name: ADV-2009-1462

Hyperlink:http://www.vupen.com/english/advisories/2009/1462

External Source: BID

Name: 31049

Hyperlink:http://www.securityfocus.com/bid/31049

External Source: MLIST

Name: [oss-security] 20080909 Re: CVE request (libpng)

Hyperlink:http://www.openwall.com/lists/oss-security/2008/09/09/8

External Source: MLIST

Name: [oss-security] 20080909 CVE request (libpng)

Hyperlink:http://www.openwall.com/lists/oss-security/2008/09/09/3

External Source: MANDRIVA

Name: MDVSA-2009:051

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:051

External Source: VUPEN

Name: ADV-2008-2512

Hyperlink:http://www.frsirt.com/english/advisories/2008/2512

External Source: CONFIRM

Name: http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm

Hyperlink:http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm

External Source: SUNALERT

Name: 259989

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-66-259989-1

External Source: CONFIRM

Name: http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624

Hyperlink:http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624

External Source: CONFIRM

Name: http://sourceforge.net/project/shownotes.php?group_id=5624&release_id=624517

Hyperlink:http://sourceforge.net/project/shownotes.php?group_id=5624&release_id=624517

External Source: MLIST

Name: [png-mng-implement] 20080918 libpng-1.0.40 and libpng-1.2.32 available

Hyperlink:http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0809180317u6a5306fg14683947affb3e1b%40mail.gmail.com&forum_name=png-mng-implement

External Source: GENTOO

Name: GLSA-200812-15

Hyperlink:http://security.gentoo.org/glsa/glsa-200812-15.xml

External Source: SECUNIA

Name: 35386

Hyperlink:http://secunia.com/advisories/35386

External Source: SECUNIA

Name: 35302

Hyperlink:http://secunia.com/advisories/35302

External Source: SECUNIA

Name: 33137

Hyperlink:http://secunia.com/advisories/33137

External Source: SECUNIA

Name: 31781

Hyperlink:http://secunia.com/advisories/31781