Signature Detail

HTTP: LibPNG Transparency Chunk Length Buffer Overflow

This signature detects attempts to exploit a known vulnerability in the way libpng handles the transparency chunk of a PNG image. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Extended Description

The libpng graphics library is reported prone to multiple vulnerabilities. The following issues are reported: - A stack-based buffer-overrun vulnerability resides in the libpng library (CAN-2004-0597). A remote attacker may exploit this condition by supplying a malicious image to an unsuspecting user. When this image is viewed, the vulnerability may be triggered, resulting in code execution in the context of the user that viewed the malicious image. - A denial-of-service vulnerability affects libpng (CAN-2004-0598). A remote attacker may exploit this condition by supplying a malicious image to an unsuspecting user. When the malicious image is viewed, a NULL-pointer dereference will occur, resulting in a crash of the application that is linked to the vulnerable library. - Several integer-overrun vulnerabilities reside in png_handle_sPLT(), png_read_png(), and other functions of libpng (CAN-2004-0599). A remote attacker may exploit the integer-overrun issues by supplying a malicious image to an unsuspecting user. When the malicious image is viewed, an integer value may wrap or may be interpreted incorrectly, resulting in a crash of the application that is linked to the vulnerable library or possibly arbitrary code execution. This BID will be split into independent BIDs when further analysis of these issues is complete. ** Update: Microsoft MSN Messenger and Windows Messenger use an affected version of the libpng library and are therefore affected by this vulnerability. Reportedly, attackers can exploit this while sending images through supported functionality to unsuspecting users running the vulnerable software. Please see the Core Security Technologies Advisory for more information.

Affected Products

• Adobe SVG Viewer 3.0.0
• Adobe SVG Viewer 3.0.0 1
• Adobe SVG Viewer 3.0.0 2
• Apple Mac OS X 10.2.8
• Apple Mac OS X 10.3.4
• Apple Mac OS X Server 10.2.8
• Apple Mac OS X Server 10.3.4
• Avaya Network Routing
• Compaq Tru64 5.1.0 a PK6(BL24)
• Compaq Tru64 5.1.0 b PK3(BL24)
• Compaq Tru64 5.1.0 b PK4 (BL25)
• Conectiva Linux 10.0.0
• Conectiva Linux 8.0.0
• Conectiva Linux 9.0.0
• Debian Linux 3.0.0
• Debian Linux 3.0.0 Alpha
• Debian Linux 3.0.0 Arm
• Debian Linux 3.0.0 Hppa
• Debian Linux 3.0.0 Ia-32
• Debian Linux 3.0.0 Ia-64
• Debian Linux 3.0.0 M68k
• Debian Linux 3.0.0 Mips
• Debian Linux 3.0.0 Mipsel
• Debian Linux 3.0.0 Ppc
• Debian Linux 3.0.0 S/390
• Debian Linux 3.0.0 Sparc
• Gentoo Linux 1.2.0
• Gentoo Linux 1.4.0
• GraphicsMagick 1.0.0
• GraphicsMagick 1.0.6
• GraphicsMagick 1.1.0
• HP Tru64 5.1.0 a PK4 (BL21)
• HP Tru64 5.1.0 B
• ImageMagick 5.4.3
• ImageMagick 5.4.4 .5
• ImageMagick 5.4.8 .2-1.1.0
• ImageMagick 5.5.3 .2-1.2.0
• ImageMagick 5.5.6 .0-20030409
• libpng 1.0.0
• libpng 1.0.10
• libpng 1.0.11
• libpng 1.0.12
• libpng 1.0.13
• libpng 1.0.14
• libpng 1.0.5
• libpng 1.0.6
• libpng 1.0.7
• libpng 1.0.8
• libpng 1.0.9
• libpng libpng3 1.2.0 .0
• libpng libpng3 1.2.1
• libpng libpng3 1.2.2
• libpng libpng3 1.2.3
• libpng libpng3 1.2.4
• libpng libpng3 1.2.5
• Mandriva Corporate Server 2.1.0
• Mandriva Corporate Server 2.1.0 X86 64
• Mandriva Corporate Server 3.0.0
• Mandriva Corporate Server 3.0.0 X86 64
• Mandriva Corporate Server 4.0
• Mandriva Corporate Server 4.0.0 X86 64
• Mandriva Linux Mandrake 10.0.0
• Mandriva Linux Mandrake 10.0.0 amd64
• Mandriva Linux Mandrake 2006.0.0
• Mandriva Linux Mandrake 2006.0.0 X86 64
• Mandriva Linux Mandrake 2007.0
• Mandriva Linux Mandrake 2007.0 X86 64
• Mandriva Linux Mandrake 9.1.0
• Mandriva Linux Mandrake 9.1.0 Ppc
• Mandriva Linux Mandrake 9.2.0
• Mandriva Linux Mandrake 9.2.0 amd64
• Mandriva Multi Network Firewall 2.0.0
• Microsoft MSN Messenger Service 6.1
• Microsoft MSN Messenger Service 6.2
• Microsoft Windows Messenger 4.7.0.2009
• Microsoft Windows Messenger 4.7.0.3000
• Microsoft Windows Messenger 5.0
• Microsoft Windows XP 64-bit Edition Version 2003 SP1
• Microsoft Windows XP 64-bit Edition Version 2003
• Microsoft Windows XP Home SP1
• Microsoft Windows XP Media Center Edition SP1
• Microsoft Windows XP Professional SP1
• Microsoft Windows XP Tablet PC Edition SP1
• Mozilla Browser 0.8.0
• Mozilla Browser 0.9.2
• Mozilla Browser 0.9.2 .1
• Mozilla Browser 0.9.3
• Mozilla Browser 0.9.35
• Mozilla Browser 0.9.4
• Mozilla Browser 0.9.4 .1
• Mozilla Browser 0.9.48
• Mozilla Browser 0.9.5
• Mozilla Browser 0.9.6
• Mozilla Browser 0.9.7
• Mozilla Browser 0.9.8
• Mozilla Browser 0.9.9
• Mozilla Browser 1.0.0
• Mozilla Browser 1.0.0 RC1
• Mozilla Browser 1.0.0 RC2
• Mozilla Browser 1.0.1
• Mozilla Browser 1.0.2
• Mozilla Browser 1.1.0
• Mozilla Browser 1.1.0 Alpha
• Mozilla Browser 1.1.0 Beta
• Mozilla Browser 1.2.0
• Mozilla Browser 1.2.0 Alpha
• Mozilla Browser 1.2.0 Beta
• Mozilla Browser 1.2.1
• Mozilla Browser 1.3.0
• Mozilla Browser 1.3.1
• Mozilla Browser 1.4.0
• Mozilla Browser 1.4.0 A
• Mozilla Browser 1.4.0 B
• Mozilla Browser 1.4.1
• Mozilla Browser 1.4.2
• Mozilla Browser 1.5.0
• Mozilla Browser 1.6.0
• Mozilla Browser 1.7.0
• Mozilla Browser 1.7.0 Rc3
• Mozilla Browser 1.7.1
• Mozilla Firebird 0.5.0
• Mozilla Firebird 0.6.1
• Mozilla Firebird 0.7.0
• Mozilla Firefox 0.8.0
• Mozilla Firefox 0.9.0
• Mozilla Firefox 0.9.0 Rc
• Mozilla Firefox 0.9.1
• Mozilla Firefox 0.9.2
• Mozilla Thunderbird 0.7.0
• Mozilla Thunderbird 0.7.1
• Mozilla Thunderbird 0.7.2
• Netscape Communicator 7.0
• Nortel Networks IP softphone 2050
• Nortel Networks Mobile Voice Client 2050
• Nortel Networks Optivity Telephony Manager (OTM)
• Nortel Networks Symposium Call Center Server (SCCS)
• OpenPKG 2.0.0
• OpenPKG 2.1.0
• OpenPKG Current
• Red Hat Desktop 3.0.0
• Red Hat Enterprise Linux AS 2.1
• Red Hat Enterprise Linux AS 3
• Red Hat Enterprise Linux ES 2.1
• Red Hat Enterprise Linux ES 3
• Red Hat Enterprise Linux WS 2.1
• Red Hat Enterprise Linux WS 3
• Red Hat Fedora Core1
• Red Hat Fedora Core2
• Red Hat Linux 7.3.0
• Red Hat Linux 7.3.0 I386
• Red Hat Linux 7.3.0 I686
• Red Hat Linux 9.0.0 I386
• Red Hat Linux Advanced Work Station 2.1.0
• SCO Unixware 7.1.4
• SGI Advanced Linux Environment 3.0.0
• Sun Java Desktop System (JDS) 1.0.0
• Sun Java Desktop System (JDS) 2.0.0
• Sun Solaris 1.1.4-JL
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86
• Sun Solaris 9 Sparc
• Sun Solaris 9 X86
• SuSE Linux 7.0.0
• SuSE Linux 7.0.0 Alpha
• SuSE Linux 7.0.0 i386
• SuSE Linux 7.0.0 ppc
• SuSE Linux 7.0.0 sparc
• SuSE Linux 7.1.0
• SuSE Linux 7.1.0 Alpha
• SuSE Linux 7.1.0 ppc
• SuSE Linux 7.1.0 sparc
• SuSE Linux 7.1.0 x86
• SuSE Linux 7.2.0
• SuSE Linux 7.2.0 i386
• SuSE Linux 7.3.0
• SuSE Linux 7.3.0 i386
• SuSE Linux 7.3.0 ppc
• SuSE Linux 7.3.0 sparc
• SuSE Linux 8.0.0
• SuSE Linux 8.0.0 i386
• SuSE Linux 8.1.0
• SuSE Linux Desktop 1.0.0
• SuSE Linux Personal 8.2.0
• SuSE Linux Personal 9.0.0
• SuSE Linux Personal 9.0.0 X86 64
• SuSE Linux Personal 9.1.0
• SuSE SUSE Linux Enterprise Server 8
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 2.0.0
• Trustix Secure Linux 2.1.0
• Turbolinux Appliance Server Hosting Edition 1.0.0
• Turbolinux Appliance Server Workgroup Edition 1.0.0
• Turbolinux Turbolinux Advanced Server 6.0.0
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux Server 6.1.0
• Turbolinux Turbolinux Server 6.5.0
• Turbolinux Turbolinux Server 7.0.0
• Turbolinux Turbolinux Server 8.0.0
• Turbolinux Turbolinux Workstation 6.0.0
• Turbolinux Turbolinux Workstation 7.0.0
• Turbolinux Turbolinux Workstation 8.0.0

References

• BugTraq: 10857
• CVE: CVE-2004-0597
• URL: http://www.kb.cert.org/vuls/id/388984