Rapid7 Vulnerability & Exploit Database

RHSA-2009:0333: libpng security update

Back to Search

RHSA-2009:0333: libpng security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
04/14/2008
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

The libpng packages contain a library of functions for creating andmanipulating PNG (Portable Network Graphics) image format files.A flaw was discovered in libpng that could result in libpng trying tofree() random memory if certain, unlikely error conditions occurred. If acarefully-crafted PNG file was loaded by an application linked againstlibpng, it could cause the application to crash or, potentially, executearbitrary code with the privileges of the user running the application.(CVE-2009-0040)A flaw was discovered in the way libpng handled PNG images containing"unknown" chunks. If an application linked against libpng attempted toprocess a malformed, unknown chunk in a malicious PNG image, it could causethe application to crash. (CVE-2008-1382)Users of libpng and libpng10 should upgrade to these updated packages,which contain backported patches to correct these issues. All runningapplications using libpng or libpng10 must be restarted for the update totake effect.

Solution(s)

  • redhat-upgrade-libpng
  • redhat-upgrade-libpng-devel
  • redhat-upgrade-libpng10
  • redhat-upgrade-libpng10-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;