National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2008-1382 Detail

Description

libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.

Source:  MITRE      Last Modified:  04/14/2008

Quick Info

CVE Dictionary Entry:
CVE-2008-1382
Original release date:
04/14/2008
Last revised:
09/28/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
7.5 HIGH
Vector:
(AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore:
6.4
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (03/04/2009)

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1382 This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 3. Updates for affected versions of Red Hat Enterprise Linux can be found here: http://rhn.redhat.com/errata/RHSA-2009-0333.html

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://libpng.sourceforge.net/Advisory-1.2.26.txt External Source CONFIRM http://libpng.sourceforge.net/Advisory-1.2.26.txt
http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html External Source APPLE APPLE-SA-2008-09-15
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html External Source APPLE APPLE-SA-2009-05-12
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00011.html External Source SUSE SUSE-SR:2008:010
http://security.gentoo.org/glsa/glsa-200804-15.xml External Source GENTOO GLSA-200804-15
http://security.gentoo.org/glsa/glsa-200805-10.xml External Source GENTOO GLSA-200805-10
http://security.gentoo.org/glsa/glsa-200812-15.xml External Source GENTOO GLSA-200812-15
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.541247 External Source SLACKWARE SSA:2008-119-01
http://sunsolve.sun.com/search/document.do?assetkey=1-66-259989-1 External Source SUNALERT 259989
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020521.1-1 External Source SUNALERT 1020521
http://support.apple.com/kb/HT3549 External Source CONFIRM http://support.apple.com/kb/HT3549
http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm External Source CONFIRM http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0151 External Source CONFIRM http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0151
http://www.debian.org/security/2009/dsa-1750 External Source DEBIAN DSA-1750
http://www.mandriva.com/security/advisories?name=MDVSA-2008:156 External Source MANDRIVA MDVSA-2008:156
http://www.ocert.org/advisories/ocert-2008-003.html External Source MISC http://www.ocert.org/advisories/ocert-2008-003.html
http://www.redhat.com/support/errata/RHSA-2009-0333.html External Source REDHAT RHSA-2009:0333
http://www.securityfocus.com/archive/1/archive/1/490823/100/0/threaded External Source BUGTRAQ 20080414 [oCERT-2008-003] libpng zero-length chunks incorrect handling
http://www.securityfocus.com/archive/1/archive/1/491424/100/0/threaded External Source BUGTRAQ 20080429 rPSA-2008-0151-1 libpng
http://www.securityfocus.com/archive/1/archive/1/503912/100/0/threaded External Source BUGTRAQ 20090529 VMSA-2009-0007 VMware Hosted products and ESX and ESXi patches resolve security issues
http://www.securityfocus.com/bid/28770 External Source BID 28770
http://www.securitytracker.com/id?1019840 External Source SECTRACK 1019840
http://www.us-cert.gov/cas/techalerts/TA08-260A.html US Government Resource External Source CERT TA08-260A
http://www.us-cert.gov/cas/techalerts/TA09-133A.html US Government Resource External Source CERT TA09-133A
http://www.vmware.com/security/advisories/VMSA-2009-0007.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2009-0007.html
http://www.vupen.com/english/advisories/2008/1225/references External Source VUPEN ADV-2008-1225
http://www.vupen.com/english/advisories/2008/2584 External Source VUPEN ADV-2008-2584
http://www.vupen.com/english/advisories/2009/1297 External Source VUPEN ADV-2009-1297
http://www.vupen.com/english/advisories/2009/1451 External Source VUPEN ADV-2009-1451
http://www.vupen.com/english/advisories/2009/1462 External Source VUPEN ADV-2009-1462
http://www.vupen.com/english/advisories/2009/1560 External Source VUPEN ADV-2009-1560
https://exchange.xforce.ibmcloud.com/vulnerabilities/41800 External Source XF libpng-zero-length-code-execution(41800)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10326 External Source OVAL oval:org.mitre.oval:def:10326
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6275 External Source OVAL oval:org.mitre.oval:def:6275
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00033.html External Source FEDORA FEDORA-2008-4847
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00080.html External Source FEDORA FEDORA-2008-4910
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00111.html External Source FEDORA FEDORA-2008-4947
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00721.html External Source FEDORA FEDORA-2008-3683
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00951.html External Source FEDORA FEDORA-2008-3979
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00960.html External Source FEDORA FEDORA-2008-3937

References to Check Content

Identifier:
oval:org.mitre.oval:def:10326
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10326
Identifier:
oval:org.mitre.oval:def:6275
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6275

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:libpng:libpng:1.0.6:a:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.6:d:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.6:e:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.6:f:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.6:g:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.6:h:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.6:i:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.6:j:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta11:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta12:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta13:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta14:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta15:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta16:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta17:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:beta18:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.7:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.8:beta1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.8:beta2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.8:beta3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.8:beta4:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.8:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta10:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta4:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta5:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta6:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta7:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta8:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:beta9:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.9:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.10:beta1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.10:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.11:beta1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.11:beta2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.11:beta3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.11:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.12:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.12:beta1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.12:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.13:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.14:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.15:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.15:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.15:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.15:rc3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.16:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.17:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.18:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.19:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.19:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.19:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.19:rc3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.19:rc5:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.20:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.21:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.21:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.21:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.22:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.22:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.23:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.23:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.23:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.23:rc3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.23:rc4:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.23:rc5:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.24:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.24:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.25:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.25:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.25:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.26:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.27:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.27:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.27:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.27:rc3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.27:rc4:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.27:rc5:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.27:rc6:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.28:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.28:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.28:rc3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.28:rc4:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.28:rc5:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.28:rc6:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.29:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.29:beta1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.29:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.29:rc2:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.29:rc3:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.30:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.30:rc1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.31:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.31:rc01:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.0.32:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.2.0:beta1:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:1.2.0:beta2:*:*:*:*:*:*
Showing 100 of 310 CPEs, view all CPEs here.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 3 change records found - show changes