Severity: 1/4

Consequences: data reading

Provenance: document

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: low (1/3)

Creation date: 22/06/2009

IMPACTED PRODUCTS

 Fedora
 Slackware Linux
 Unix - plateform

DESCRIPTION OF THE VULNERABILITY

An interlaced image is built with a large mesh (line/row are skipped) with is shrunk on each pass.

The png_read_start_row() function of the pngrutil.c file reads a line from the image. However, when the image is binary, interlaced and when its width/height is not a multiple of 8, last pixels at the end of lines are not initialised by png_read_start_row().

If an attacker can re-read this image loaded by libpng, he can thus read the last pixels to obtain fragments coming directly from the memory. To use this attack, the attacker has for example to capture a screenshot with a malicious picture displayed by a software using libpng.

An attacker can thus obtain a fragment of the memory of the application linked to libpng.

CHARACTERISTICS

Identifiers: BID-35233, CVE-2009-2042, FEDORA-2009-6506, FEDORA-2009-6531, FEDORA-2009-6603, SSA:2009-170-01, VIGILANCE-VUL-8813 http://vigilance.fr/vulnerability/libpng-memory-reading-via-interlacing-8813