ID CVE-2008-5907
Summary The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability.
References
Vulnerable Configurations
  • Debian GNU/Linux 4.0
    cpe:2.3:o:debian:debian_linux:4.0
  • Debian GNU/Linux 5.0
    cpe:2.3:o:debian:debian_linux:5.0
CVSS
Base: 5.0 (as of 15-01-2009 - 15:31)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-051.NASL
    description A number of vulnerabilities have been found and corrected in libpng : Fixed 1-byte buffer overflow in pngpread.c (CVE-2008-3964). This was allready fixed in Mandriva Linux 2009.0. Fix the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0 (CVE-2008-5907). Fix a potential DoS (Denial of Service) or to potentially compromise an application using the library (CVE-2009-0040). The updated packages have been patched to prevent this.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36671
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36671
    title Mandriva Linux Security Advisory : libpng (MDVSA-2009:051)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200903-28.NASL
    description The remote host is affected by the vulnerability described in GLSA-200903-28 (libpng: Multiple vulnerabilities) Multiple vulnerabilities were discovered in libpng: A memory leak bug was reported in png_handle_tEXt(), a function that is used while reading PNG images (CVE-2008-6218). A memory overwrite bug was reported by Jon Foster in png_check_keyword(), caused by writing overlong keywords to a PNG file (CVE-2008-5907). A memory corruption issue, caused by an incorrect handling of an out of memory condition has been reported by Tavis Ormandy of the Google Security Team. That vulnerability affects direct uses of png_read_png(), pCAL chunk and 16-bit gamma table handling (CVE-2009-0040). Impact : A remote attacker may execute arbitrary code with the privileges of the user opening a specially crafted PNG file by exploiting the erroneous out-of-memory handling. An attacker may also exploit the png_check_keyword() error to set arbitrary memory locations to 0, if the application allows overlong, user-controlled keywords when writing PNG files. The png_handle_tEXT() vulnerability may be exploited by an attacker to potentially consume all memory on a users system when a specially crafted PNG file is opened. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 35929
    published 2009-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35929
    title GLSA-200903-28 : libpng: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_LIBPNG-DEVEL-090120.NASL
    description This update of libpng fixes the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0. (CVE-2008-5907)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 40263
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40263
    title openSUSE Security Update : libpng-devel (libpng-devel-455)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_LIBPNG-DEVEL-090121.NASL
    description This update of libpng fixes the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0. (CVE-2008-5907)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 40037
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40037
    title openSUSE Security Update : libpng-devel (libpng-devel-455)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-08 (Multiple packages, Multiple vulnerabilities fixed in 2010) Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. Insight Perl Tk Module Source-Navigator Tk Partimage Mlmmj acl Xinit gzip ncompress liblzw splashutils GNU M4 KDE Display Manager GTK+ KGet dvipng Beanstalk Policy Mount pam_krb5 GNU gv LFTP Uzbl Slim Bitdefender Console iputils DVBStreamer Impact : A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround : There are no known workarounds at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79961
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79961
    title GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBPNG-5945.NASL
    description This update of libpng fixes the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0. (CVE-2008-5907)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 41546
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41546
    title SuSE 10 Security Update : libpng (ZYPP Patch Number 5945)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBPNG-5944.NASL
    description This update of libpng fixes the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0. (CVE-2008-5907)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 35553
    published 2009-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35553
    title openSUSE 10 Security Update : libpng (libpng-5944)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12339.NASL
    description This update of libpng fixes the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0. (CVE-2008-5907)
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41270
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41270
    title SuSE9 Security Update : libpng, libpng-devel (YOU Patch Number 12339)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-730-1.NASL
    description It was discovered that libpng did not properly perform bounds checking in certain operations. An attacker could send a specially crafted PNG image and cause a denial of service in applications linked against libpng. This issue only affected Ubuntu 8.04 LTS. (CVE-2007-5268, CVE-2007-5269) Tavis Ormandy discovered that libpng did not properly initialize memory. If a user or automated system were tricked into opening a crafted PNG image, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue did not affect Ubuntu 8.10. (CVE-2008-1382) Harald van Dijk discovered an off-by-one error in libpng. An attacker could could cause an application crash in programs using pngtest. (CVE-2008-3964) It was discovered that libpng did not properly NULL terminate a keyword string. An attacker could exploit this to set arbitrary memory locations to zero. (CVE-2008-5907) Glenn Randers-Pehrson discovered that libpng did not properly initialize pointers. If a user or automated system were tricked into opening a crafted PNG file, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0040). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 37042
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37042
    title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : libpng vulnerabilities (USN-730-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1750.NASL
    description Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2445 The png_handle_tRNS function allows attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value. - CVE-2007-5269 Certain chunk handlers allow attackers to cause a denial of service (crash) via crafted pCAL, sCAL, tEXt, iTXt, and ztXT chunking in PNG images, which trigger out-of-bounds read operations. - CVE-2008-1382 libpng allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length 'unknown' chunks, which trigger an access of uninitialized memory. - CVE-2008-5907 The png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords. - CVE-2008-6218 A memory leak in the png_handle_tEXt function allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file. - CVE-2009-0040 libpng allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35988
    published 2009-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35988
    title Debian DSA-1750-1 : libpng - several vulnerabilities
refmap via4
confirm http://libpng.sourceforge.net/index.html
debian DSA-1750
gentoo GLSA-200903-28
mandriva MDVSA-2009:051
mlist
  • [oss-security] 20090109 libpng non issue
  • [png-mng-implement] 20081126 Memory overwriting bug in png_check_keyword()
secunia
  • 34320
  • 34388
suse SUSE-SR:2009:003
xf libpng-pngcheckkeyword-memory-corruption(48128)
statements via4
contributor Joshua Bressers
lastmodified 2009-02-11
organization Red Hat
statement Red Hat does not consider this bug to be a security issue. For a more detailed explanation, please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5907
Last major update 26-03-2009 - 01:48
Published 15-01-2009 - 12:30
Last modified 08-11-2018 - 15:18
Back to Top