Next Page >>
PNG file
/***************************************************************\
* WinSoftMagic Photo Editor .PNG File Buffer Overflow *
* *
* This sploit runs calc.exe or bind to port 4444. *
* Tested On Win XP SP2 & Win VisTa 2008 *
* Code & Discovered By: eidelweiss *
* *
* This Made For Educational purpose only *
* Author will not responsible for any damage *
* *
Version m5-rc14 of the Android SDK includes a fix and is not vulnerable
to this bug.
#2 - PNG image parsing, multiple vulnerabilities:
The Portable Network Graphics (PNG) is a bitmapped image format that
employs lossless data compression [9]. PNG was created to improve upon
and replace the GIF format as an image file format that does not require
a patent license.
The library 'libsgl.so' used by Android's WebKit contains commonly used
* A memory leak bug was reported in png_handle_tEXt(), a function
that is used while reading PNG images (CVE-2008-6218).
* A memory overwrite bug was reported by Jon Foster in
png_check_keyword(), caused by writing overlong keywords to a PNG
file (CVE-2008-5907).
* A memory corruption issue, caused by an incorrect handling of an
out of memory condition has been reported by Tavis Ormandy of the
Google Security Team. That vulnerability affects direct uses of
png_read_png(), pCAL chunk and 16-bit gamma table handling
The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.
A flaw was discovered in libpng that could result in libpng trying
to free() random memory if certain, unlikely error conditions
occurred. If a carefully-crafted PNG file was loaded by an
application linked against libpng, it could cause the application
to crash or, potentially, execute arbitrary code with the
privileges of the user running the application.
A flaw was discovered in the way libpng handled PNG images
Debian-specific: no
CVE Id(s) : CVE-2007-2445 CVE-2007-5269 CVE-2008-1382 CVE-2008-5907 CVE-2008-6218 CVE-2009-0040
Debian Bug : 446308 476669 516256 512665
Several vulnerabilities have been discovered in libpng, a library for
reading and writing PNG files. The Common Vulnerabilities and
Exposures project identifies the following problems:
The png_handle_tRNS function allows attackers to cause a denial of
service (application crash) via a grayscale PNG image with a bad tRNS
chunk CRC value. (CVE-2007-2445)
Synopsis
========
POV-Ray includes a version of libpng that might allow for the execution
of arbitrary code when reading a specially crafted PNG file
Background
==========
POV-Ray is a well known open-source ray tracer.
CVE Id(s) : CVE-2009-2042 CVE-2010-0205
Debian Bugs : 533676 572308
Several vulnerabilities have been discovered in libpng, a library for
reading and writing PNG files. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2009-2042
libpng does not properly parse 1-bit interlaced images with width values
can be exploited by malicious people to compromise an application
using the library.
1) An integer overflow error within the "pngLoadRawF()" function in
glpng.c can be exploited to cause a heap-based buffer overflow by e.g.
tricking a user into opening a specially crafted PNG file in an
application using the library.
2) An integer overflow error within the "pngLoadF()" function in
glpng.c can be exploited to cause a heap-based buffer overflow by e.g.
tricking a user into opening a specially crafted PNG file in an
Multiple vulnerabilities has been found and corrected in libpng:
libpng before 1.2.37 does not properly parse 1-bit interlaced images
with width values that are not divisible by 8, which causes libpng
to include uninitialized bits in certain rows of a PNG file and
might allow remote attackers to read portions of sensitive memory
via out-of-bounds pixels in the file (CVE-2009-2042).
The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before
1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly
===========
Jeff Phillips discovered that libpng does not properly parse 1-bit
interlaced images with width values that are not divisible by 8, which
causes libpng to include uninitialized bits in certain rows of a PNG
file.
Impact
======
A remote attacker might entice a user to open a specially crafted PNG
e. Update to Cairo
Cairo 1.4.12 resolves an integer overflow vulnerability that can
allow malicious users to run arbitrary code or might cause a
denial-of-service after reading a maliciously crafted PNG file.
This release updates Cairo to 1.4.14.
The Common Vulnerabilities and Exposures (cve.mitre.com) has
assigned the name CVE-2007-5503 to this issue.
Microsoft Internet Explorer DoS in Rendering Malicious PNG Files.
*Version Affected:*
IE 7 / IE 8 BETA
*Severity:*
Intermediate
*Background:*
Mshtml.dll is a standard library which is responsible for rendering
Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2009-0040
The execution of arbitrary code might be possible via a crafted PNG file
that triggers a free of an uninitialized pointer in (1) the png_read_png
function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.
(MFSA 2009-10)
CVE-2009-0352
Background
==========
gif2png is a command line program that converts image files from the
Graphics Interchange Format (GIF) format to the Portable Network
Graphics (PNG) format.
Affected packages
=================
-------------------------------------------------------------------
Details follow:
Glenn Randers-Pehrson discovered that the embedded libpng in Firefox
did not properly initialize pointers. If a user were tricked into
viewing a malicious website with a crafted PNG file, a remote attacker
could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-0040)
Martijn Wargers, Jesse Ruderman, Josh Soref, Gary Kwong, and Timothee
Groleau discovered flaws in the browser engine. If a user were tricked
<tree> element. If a user were tricked into viewing a malicious site, a
remote attacker could use this to crash the browser or possibly run
arbitrary code as the user invoking the program. (CVE-2010-2753)
Aki Helin discovered that libpng did not properly handle certain malformed
PNG images. If a user were tricked into opening a crafted PNG file, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-1205)
Yosuke Hasegawa and Vladimir Vukicevic discovered that the same-origin
check in Firefox could be bypassed by utilizing the importScripts Web
string. An attacker could exploit this to set arbitrary memory locations to
zero. (CVE-2008-5907)
Glenn Randers-Pehrson discovered that libpng did not properly initialize
pointers. If a user or automated system were tricked into opening a crafted PNG
file, an attacker could cause a denial of service or possibly execute arbitrary
code with the privileges of the user invoking the program. (CVE-2009-0040)
Updated packages for Ubuntu 6.06 LTS:
Debian Bugs : 531631 532352
It has been discovered that gst-plugins-good0.10, the GStreamer plugins
from the "good" set, are prone to an integer overflow, when processing
a large PNG file. This could lead to the execution of arbitrary code.
For the stable distribution (lenny), this problem has been fixed in
version 0.10.8-4.1~lenny2.
<tree> element. If a user were tricked into viewing a malicious site, a
remote attacker could use this to crash the browser or possibly run
arbitrary code as the user invoking the program. (CVE-2010-2753)
Aki Helin discovered that libpng did not properly handle certain malformed
PNG images. If a user were tricked into opening a crafted PNG file, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-1205)
Yosuke Hasegawa and Vladimir Vukicevic discovered that the same-origin
check in Firefox could be bypassed by utilizing the importScripts Web
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040
Description:
Previous versions of libpng are vulnerable to denial of service or
possibly arbitrary code execution attacks via buffer overflows
caused by a maliciously crafted PNG file.
http://wiki.rpath.com/Advisories:rPSA-2009-0046
Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
arbitrary code with privileges of the current user.
When JWS starts up, it displays a splash screen. By default, the image
displayed on this splash screen is a GIF file provided by Sun, but it
is possible for a JNLP file to provide its own splash logo. This allows
an attacker to pass an arbitrary PNG file to the splash logo parsing
code.
The vulnerability occurs when parsing a PNG file used as part of the
splash screen. When parsing the image, several values are taken from
the file and used in an arithmetic operation that calculates the size
Multiple vulnerabilities has been found and corrected in libpng:
Memory leak in the png_handle_tEXt function in pngrutil.c in libpng
before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers
to cause a denial of service (memory exhaustion) via a crafted PNG file
(CVE-2008-6218.
Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x
before 1.4.3, as used in progressive applications, might allow remote
attackers to execute arbitrary code via a PNG image that triggers an
Details follow:
It was discovered that libpng did not properly handle certain malformed PNG
images. If a user or automated system were tricked into opening a crafted
PNG file, an attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2010-1205)
It was discovered that libpng did not properly handle certain malformed PNG
images. If a user or automated system were tricked into processing a
<tree> element. If a user were tricked into viewing a malicious site, a
remote attacker could use this to crash the browser or possibly run
arbitrary code as the user invoking the program. (CVE-2010-2753)
Aki Helin discovered that libpng did not properly handle certain malformed
PNG images. If a user were tricked into opening a crafted PNG file, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-1205)
Yosuke Hasegawa and Vladimir Vukicevic discovered that the same-origin
check in Firefox could be bypassed by utilizing the importScripts Web
The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before
1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly
handle compressed ancillary-chunk data that has a disproportionately
large uncompressed representation, which allows remote attackers to
cause a denial of service (memory and CPU consumption, and application
hang) via a crafted PNG file, as demonstrated by use of the deflate
compression method on data composed of many occurrences of the same
character, related to a decompression bomb attack (CVE-2010-0205).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
Hi folks,
Can anyone confirm that the attached PNG file is causing Explorer to eat
100% CPU, and if this is a known issue ?
(Currently tested with an up-to-date Windows XP and Windows Vista)
The probable cause is an integer overflow in the PNG chunk size handling,
which is 32-bit large, and which can cause a 32-bit counter to overflow
when specifically designed for (the attached file contains an tEXt chunk
Background
==========
Pngcrush is a multi platform optimizer for PNG (Portable Network
Graphics) files.
Affected packages
=================
-------------------------------------------------------------------
> code.
> STEP2: Login into joomla with administrator
> credentials and click on media manager
> component.
> STEP3: use the image upload utility to upload
> crafted png file with name index.html.png
> STEP4: joomla will not show any error and file is
> uploaded.
> STEP5: Then just click on that file and script
> code written in that file get executed by
> user browser
element. If a user were tricked into viewing malicious content, a remote
attacker could use this to crash Thunderbird or possibly run arbitrary code
as the user invoking the program. (CVE-2010-2753)
Aki Helin discovered that libpng did not properly handle certain malformed
PNG images. If a user were tricked into opening a crafted PNG file, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-1205)
Yosuke Hasegawa discovered that the same-origin check in Thunderbird could
be bypassed by utilizing the importScripts Web Worker method. If a user
Description
===========
Xavier Roche discovered an infinite loop in the gdPngReadData()
function when processing a truncated PNG file (CVE-2007-2756). An
integer overflow has been discovered in the gdImageCreateTrueColor()
function (CVE-2007-3472). An error has been discovered in the function
gdImageCreateXbm() function (CVE-2007-3473). Unspecified
vulnerabilities have been discovered in the GIF reader (CVE-2007-3474).
An error has been discovered when processing a GIF image that has no
Next Page>>
|
