Rapid7 Vulnerability & Exploit Database

RHSA-2011:1104: libpng security update

Back to Search

RHSA-2011:1104: libpng security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
07/17/2011
Created
07/25/2018
Added
07/29/2011
Modified
07/04/2017

Description

The libpng packages contain a library of functions for creating andmanipulating PNG (Portable Network Graphics) image format files.A buffer overflow flaw was found in the way libpng processed certain PNGimage files. An attacker could create a specially-crafted PNG image that,when opened, could cause an application using libpng to crash or,potentially, execute arbitrary code with the privileges of the user runningthe application. (CVE-2011-2690)Note: The application behavior required to exploit CVE-2011-2690 is rarelyused. No application shipped with Red Hat Enterprise Linux behaves thisway, for example.An uninitialized memory read issue was found in the way libpng processedcertain PNG images that use the Physical Scale (sCAL) extension. Anattacker could create a specially-crafted PNG image that, when opened,could cause an application using libpng to crash. (CVE-2011-2692)Users of libpng should upgrade to these updated packages, which containbackported patches to correct these issues. All running applications usinglibpng must be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-libpng
  • redhat-upgrade-libpng-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;