=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN405
_____________________________________________________________________

DATE                      : 07/10/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running libpng.

======================================================================
http://www.kb.cert.org/vuls/id/889484
______________________________________________________________________

Vulnerability Note VU#889484
libpng off-by-one vulnerability

Overview

A vulnerability exists in libpng that may allow a remote attacker to
cause a denial of service.


I. Description

A vulnerability in the way libpng handles files that contain multiple
zTXt chunks may cause a denial of service. This vulnerability is due to
an off-by-one error introduced in the png_push_read_zTXt() function in
libpng-1.2.30/pngpread.c. According to the PNG Development Group:

      Gecko-based applications such as Firefox are not vulnerable
because they contain a png_set_keep_unknown_chunks() call that causes
the application to ignore the zTXt chunk.


Note that this issue affects libpng versions 1.0.38, 1.0.39, 1.2.30,
1.2.31, and libpng-1.4.0beta.


II. Impact

A remote, unauthorized attacker may be able to cause a denial of
service.


III. Solution

Upgrade

The PNG Development Group has issued an upgrade to address this issue.
See libpng version 1.2.32 for more information.


Systems Affected
Vendor	Status	Date Notified	Date Updated
libpng	Vulnerable		2008-10-02


References

http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624
http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0809180317u6a5306fg14683947affb3e1b%40mail.gmail.com&forum_name=png-mng-implement


Credit

This issue was reported by the PNG Development Group in libpng version
1.2.32.

This document was written by Chris Taschner.

Other Information
Date Public:	2008-09-05
Date First Published:	2008-10-02
Date Last Updated:	2008-10-02
CERT Advisory:	
CVE-ID(s):	CVE-2008-3964
NVD-ID(s):	CVE-2008-3964
US-CERT Technical Alerts:	
Metric:	3,97
Document Revision:	7

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================