漏洞信息详情
Libpng库pngtrtran.c文件远程拒绝服务漏洞
- CNNVD编号:CNNVD-200710-149
- 危害等级: 中危
- CVE编号: CVE-2007-5269
- 漏洞类型: 输入验证
- 发布时间: 2001-10-16
- 威胁类型: 远程
- 更新时间: 2009-06-23
- 厂 商: libpng
- 漏洞来源: George CookJeff Ph...
漏洞简介
libpng是多种应用程序使用的解析PNG图象格式的库。
libpng在处理畸形格式的PNG图像文件时存在漏洞,远程攻击者可能利用此漏洞导致使用了此程序库的应用崩溃。
libpng的pngtrtran.c文件中使用了逻辑NOT而不是位逻辑运算NOT,在使用sizeof(unknown_chunk.name)时存在错误,在pngset.c文件中与无符变量所做的<=比较应为==;在png_handle_pCAL()、png_handle_sCAL()、png_push_read_tEXt()、png_handle_iTXt()和png_handle_ztXt()函数中还存在多个越界读取错误。如果用户受骗打开了畸形的PNG图形的话,就可能导致使用该库的应用程序崩溃。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://downloads.sourceforge.net/libpng/libpng-1.2.21.tar.gz
参考网址
来源: US-CERT
名称: TA08-150A
链接:http://www.us-cert.gov/cas/techalerts/TA08-150A.HTML
来源: VUPEN
名称: ADV-2007-3390
链接:http://www.frsirt.com/english/advisories/2007/3390
来源: MLIST
名称: [png-mng-implement] 20071004 Libpng-1.2.21 and libpng-1.0.29 released
链接:http://sourceforge.net/mailarchive/forum.php?thread_name=3.0.6.32.20071004082318.012a7628%40mail.comcast.net&forum_name=png-mng-implement
来源: VUPEN
名称: ADV-2009-1560
链接:http://www.vupen.com/english/advisories/2009/1560
来源: VUPEN
名称: ADV-2009-1462
链接:http://www.vupen.com/english/advisories/2009/1462
来源: www.vmware.com
链接:http://www.vmware.com/security/advisories/VMSA-2008-0014.HTML
来源: BUGTRAQ
名称: 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues.
链接:http://www.securityfocus.com/archive/1/archive/1/495869/100/0/threaded
来源: VUPEN
名称: ADV-2008-2466
链接:http://www.frsirt.com/english/advisories/2008/2466
来源: DEBIAN
名称: DSA-1750
链接:http://www.debian.org/security/2009/dsa-1750
来源: support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm
来源: SUNALERT
名称: 259989
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-259989-1
来源: SECUNIA
名称: 35386
链接:http://secunia.com/advisories/35386
来源: SECUNIA
名称: 35302
链接:http://secunia.com/advisories/35302
来源: SECUNIA
名称: 34388
链接:http://secunia.com/advisories/34388
来源: SECUNIA
名称: 31713
链接:http://secunia.com/advisories/31713
来源: SECUNIA
名称: 31712
链接:http://secunia.com/advisories/31712
来源: SECUNIA
名称: 27093
链接:http://secunia.com/advisories/27093
来源: FULLDISC
名称: 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues.
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/064118.HTML
来源: FEDORA
名称: FEDORA-2007-2666
链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00356.HTML
来源: FEDORA
名称: FEDORA-2007-2521
链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00353.HTML
来源: FEDORA
名称: FEDORA-2007-734
链接:https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00072.HTML
来源: issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1814
来源: bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=337461
来源: bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=327791
来源: www.vmware.com
链接:http://www.vmware.com/support/ws6/doc/releasenotes_ws6.HTML
来源: www.vmware.com
链接:http://www.vmware.com/support/ws55/doc/releasenotes_ws55.HTML
来源: www.vmware.com
链接:http://www.vmware.com/support/server/doc/releasenotes_server.HTML
来源: www.vmware.com
链接:http://www.vmware.com/support/player2/doc/releasenotes_player2.HTML
来源: www.vmware.com
链接:http://www.vmware.com/support/player/doc/releasenotes_player.HTML
来源: www.vmware.com
链接:http://www.vmware.com/support/ace2/doc/releasenotes_ace2.HTML
来源: www.vmware.com
链接:http://www.vmware.com/security/advisories/VMSA-2008-0005.HTML
来源: UBUNTU
名称: USN-538-1
链接:http://www.ubuntu.com/usn/usn-538-1
来源: SECTRACK
名称: 1018849
链接:http://www.securitytracker.com/id?1018849
来源: BID
名称: 28276
链接:http://www.securityfocus.com/bid/28276
来源: BID
名称: 25956
链接:http://www.securityfocus.com/bid/25956
来源: BUGTRAQ
名称: 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues
链接:http://www.securityfocus.com/archive/1/archive/1/489739/100/0/threaded
来源: BUGTRAQ
名称: 20080304 CORE-2008-0124: Multiple vulnerabilities in Google's CMS.zone.ci/e/tags/htag.php?tag=Android target=_blank class=infotextkey>Android SDK
链接:http://www.securityfocus.com/archive/1/archive/1/489135/100/0/threaded
来源: BUGTRAQ
名称: 20071112 FLEA-2007-0065-1 libpng
链接:http://www.securityfocus.com/archive/1/archive/1/483582/100/0/threaded
来源: REDH
受影响实体
- Libpng Libpng:1.2.20
- Libpng Libpng:1.0.28
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论