Vulnerability CVE-2016-3751


Published: 2016-07-10   Modified: 2016-07-11

Description:
Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.

Vendor: Google
Product: Android 
Version:
6.0.1
6.0
5.1.0
5.1
5.0.1
5.0
4.4.3
4.4.2
4.4.1
4.4
4.3.1
4.3
4.2.2
4.2.1
4.2
4.1.2
4.1
4.0.4
4.0.3
4.0.2
4.0.1
4.0
Vendor: Libpng
Product: Libpng 
Version: 1.6.19;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://android.googlesource.com/platform/external/libpng/+/9d4853418ab2f754c2b63e091c29c5529b8b86ca
http://www.openwall.com/lists/oss-security/2016/07/09/4
http://source.android.com/security/bulletin/2016-07-01.html

Related CVE
CVE-2019-17371
libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_struct.
CVE-2017-12652
libpng before 1.6.32 does not properly check the length of chunks against the user limit.
CVE-2018-14550
An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.
CVE-2019-7317
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
CVE-2019-6129
** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer."
CVE-2018-14048
An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.
CVE-2018-13785
In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.
CVE-2016-10087
The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text c...

Copyright 2019, cxsecurity.com

 

Back to Top