Severity: 2/4
 Consequences: denial of service of service, denial of service of client
 Provenance: document
 Means of attack: no proof of concept, no attack
 Ability of attacker: expert (4/4)
 Confidence: confirmed by the editor (5/5)
 Diffusion of the vulnerable configuration: high (3/3)
 Creation date: 03/03/2010

IMPACTED PRODUCTS

 Unix - plateform

DESCRIPTION OF THE VULNERABILITY

A PNG image can contain ancillary chunks:
 zTXt : compressed text
 iTXt : international text, which can be compressed
 iCCP : name of the color correction profile, which can be compressed
 etc.

When libpng analyzes a PNG image containing compressed chunks, the png_decompress_chunk() function does not enforce limits on the uncompressed size, nor on the used CPU resources. For example, a compressed zTXt chunk of 17 kb can be uncompressed to 5 Mb, and a compressed iCCP chunk of 50 kb can be uncompressed to 60 Mb.

An attacker can therefore create an extremely compressed image, and invite the victim to open it with libpng, in order to generate a denial of service on his computer.

CHARACTERISTICS

 Identifiers: BID-38478, CVE-2010-0205, VIGILANCE-VUL-9488, VU#576029
 Url: http://vigilance.fr/vulnerability/l...