ID CVE-2006-3334
Summary Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name".
References
Vulnerable Configurations
  • cpe:2.3:a:greg_roelofs:libpng:1.2.0
    cpe:2.3:a:greg_roelofs:libpng:1.2.0
  • cpe:2.3:a:greg_roelofs:libpng:1.2.1
    cpe:2.3:a:greg_roelofs:libpng:1.2.1
  • cpe:2.3:a:greg_roelofs:libpng:1.2.2
    cpe:2.3:a:greg_roelofs:libpng:1.2.2
  • cpe:2.3:a:greg_roelofs:libpng:1.2.3
    cpe:2.3:a:greg_roelofs:libpng:1.2.3
  • cpe:2.3:a:greg_roelofs:libpng:1.2.4
    cpe:2.3:a:greg_roelofs:libpng:1.2.4
  • cpe:2.3:a:greg_roelofs:libpng:1.2.5
    cpe:2.3:a:greg_roelofs:libpng:1.2.5
  • cpe:2.3:a:greg_roelofs:libpng:1.2.6
    cpe:2.3:a:greg_roelofs:libpng:1.2.6
  • cpe:2.3:a:greg_roelofs:libpng:1.2.7
    cpe:2.3:a:greg_roelofs:libpng:1.2.7
  • cpe:2.3:a:greg_roelofs:libpng:1.2.7rc1
    cpe:2.3:a:greg_roelofs:libpng:1.2.7rc1
  • cpe:2.3:a:greg_roelofs:libpng:1.2.8
    cpe:2.3:a:greg_roelofs:libpng:1.2.8
  • cpe:2.3:a:greg_roelofs:libpng:1.2.9
    cpe:2.3:a:greg_roelofs:libpng:1.2.9
  • cpe:2.3:a:greg_roelofs:libpng:1.2.10
    cpe:2.3:a:greg_roelofs:libpng:1.2.10
  • cpe:2.3:a:greg_roelofs:libpng:1.2.11
    cpe:2.3:a:greg_roelofs:libpng:1.2.11
CVSS
Base: 7.5 (as of 03-07-2006 - 13:10)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200607-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-200607-06 (libpng: Buffer overflow) In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow. Impact : By enticing a user to load a maliciously crafted PNG image, an attacker could execute arbitrary code with the rights of the user, or crash the application using the libpng library, such as the emul-linux-x86-baselibs. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 22080
    published 2006-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22080
    title GLSA-200607-06 : libpng: Buffer overflow
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBPNG-2322.NASL
    description The sPLT chunk handling in libpng was incorrect and a handcrafted PNG file could be use to cause an out-of-bounds read, effectively crashing the PNG viewer or webbrowser. (CVE-2006-5793) Additionaly a 2 byte stackoverflow was fixed which we do not believe to be exploitable. It will cause an abort of the viewer or webbrowser in SUSE Linux 10.0 and newer due to string overflow checking. (CVE-2006-3334)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27329
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27329
    title openSUSE 10 Security Update : libpng (libpng-2322)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200812-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-200812-15 (POV-Ray: User-assisted execution of arbitrary code) POV-Ray uses a statically linked copy of libpng to view and output PNG files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in POV-Ray's build system caused it to load the old version when your installed copy of libpng was >=media-libs/libpng-1.2.10. Impact : An attacker could entice a user to load a specially crafted PNG file as a texture, resulting in the execution of arbitrary code with the permissions of the user running the application. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 35107
    published 2008-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35107
    title GLSA-200812-15 : POV-Ray: User-assisted execution of arbitrary code
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-211.NASL
    description PXELINUX is a PXE bootloader. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a typo in png_set_sPLT() that may cause an application using libpng to read out of bounds, resulting in a crash. (CVE-2006-5793) Packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24596
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24596
    title Mandrake Linux Security Advisory : pxelinux (MDKSA-2006:211)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-209.NASL
    description Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a typo in png_set_sPLT() that may cause an application using libpng to read out of bounds, resulting in a crash. (CVE-2006-5793) Packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24594
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24594
    title Mandrake Linux Security Advisory : libpng (MDKSA-2006:209)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBPNG-2325.NASL
    description The sPLT chunk handling in libpng was incorrect and a handcrafted PNG file could be use to cause an out-of-bounds read, effectively crashing the PNG viewer or webbrowser. (CVE-2006-5793) Additionally a 2 byte stackoverflow was fixed which we do not believe to be exploitable. It will cause an abort of the viewer or webbrowser in SUSE Linux 10.0 and newer due to string overflow checking. (CVE-2006-3334)
    last seen 2019-02-21
    modified 2014-10-28
    plugin id 29507
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29507
    title SuSE 10 Security Update : libpng (ZYPP Patch Number 2325)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-210.NASL
    description SYSLINUX is a boot loader for the Linux operating system which operates off an MS-DOS/Windows FAT filesystem. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a typo in png_set_sPLT() that may cause an application using libpng to read out of bounds, resulting in a crash. (CVE-2006-5793) Packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24595
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24595
    title Mandrake Linux Security Advisory : syslinux (MDKSA-2006:210)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2008-002.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 31605
    published 2008-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31605
    title Mac OS X Multiple Vulnerabilities (Security Update 2008-002)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-213.NASL
    description Chromium is an OpenGL-based shoot them up game with fine graphics. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. In addition, an patch to address several old vulnerabilities has been applied to this build. (CVE-2002-1363, CVE-2004-0421, CVE-2004-0597, CVE-2004-0598, CVE-2004-0599) Packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24598
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24598
    title Mandrake Linux Security Advisory : chromium (MDKSA-2006:213)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-212.NASL
    description Doxygen is a documentation system for C, C++ and IDL. It is built with a private copy of libpng, and as such could be susceptible to some of the same vulnerabilities : Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to 'chunk error processing,' possibly involving the 'chunk_name'. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a typo in png_set_sPLT() that may cause an application using libpng to read out of bounds, resulting in a crash. (CVE-2006-5793) In addition, an patch to address several old vulnerabilities has been applied to this build. (CVE-2002-1363, CVE-2004-0421, CVE-2004-0597, CVE-2004-0598, CVE-2004-0599) Packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24597
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24597
    title Mandrake Linux Security Advisory : doxygen (MDKSA-2006:212)
refmap via4
apple APPLE-SA-2008-03-18
bid 18698
bugtraq 20060719 rPSA-2006-0133-1 libpng
confirm
gentoo
  • GLSA-200607-06
  • GLSA-200812-15
mandriva
  • MDKSA-2006:209
  • MDKSA-2006:210
  • MDKSA-2006:211
  • MDKSA-2006:212
  • MDKSA-2006:213
secunia
  • 20960
  • 22956
  • 22957
  • 22958
  • 23335
  • 29420
  • 33137
suse
  • SUSE-SR:2006:016
  • SUSE-SR:2006:028
vupen
  • ADV-2006-2585
  • ADV-2008-0924
xf libpng-pngdecompresschunk-bo(27468)
statements via4
contributor Mark J Cox
lastmodified 2007-05-14
organization Red Hat
statement On Red Hat Enterprise Linux 2.1, 3, 4, and 5 this is a two-byte overflow into the middle of the stack and is not exploitable.
Last major update 07-03-2011 - 21:38
Published 30-06-2006 - 19:05
Last modified 18-10-2018 - 12:46
Back to Top