Vulnerability CVE-2018-13785


Published: 2018-07-09

Description:
In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.

Type:

CWE-369

(Divide By Zero)

Vendor: Redhat
Product: Enterprise linux server 
Version: 7.0; 6.0;
Product: Enterprise linux workstation 
Version: 7.0; 6.0;
Product: Enterprise linux desktop 
Version: 7.0; 6.0;
Vendor: Canonical
Product: Ubuntu linux 
Version:
18.04
17.10
16.04
14.04
Vendor: Oracle
Product: JDK 
Version:
11.0.0
1.8.0
1.7.0
1.6.0
Product: JRE 
Version:
11.0.0
1.8.0
1.7.0
1.6.0
Vendor: Libpng
Product: Libpng 
Version: 1.6.34;
Product: Libgpng 
Version: 1.6.34;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/105599
http://www.securitytracker.com/id/1041889
https://access.redhat.com/errata/RHSA-2018:3000
https://access.redhat.com/errata/RHSA-2018:3001
https://access.redhat.com/errata/RHSA-2018:3002
https://access.redhat.com/errata/RHSA-2018:3003
https://access.redhat.com/errata/RHSA-2018:3007
https://access.redhat.com/errata/RHSA-2018:3008
https://access.redhat.com/errata/RHSA-2018:3533
https://access.redhat.com/errata/RHSA-2018:3534
https://access.redhat.com/errata/RHSA-2018:3671
https://access.redhat.com/errata/RHSA-2018:3672
https://access.redhat.com/errata/RHSA-2018:3779
https://access.redhat.com/errata/RHSA-2018:3852
https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2
https://security.gentoo.org/glsa/201908-10
https://security.netapp.com/advisory/ntap-20181018-0001/
https://sourceforge.net/p/libpng/bugs/278/
https://usn.ubuntu.com/3712-1/

Related CVE
CVE-2019-17371
libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_struct.
CVE-2017-12652
libpng before 1.6.32 does not properly check the length of chunks against the user limit.
CVE-2018-14550
An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.
CVE-2019-7317
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
CVE-2019-6129
** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer."
CVE-2018-14048
An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.
CVE-2016-10087
The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text c...
CVE-2016-3751
Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Sig...

Copyright 2019, cxsecurity.com

 

Back to Top