Vigil@nce: libpng, overflow via zTXt
October 2008 by Vigil@nce
An attacker can create a malicious PNG image in order to create a
denial of service or code execution in applications linked to
libpng.
– Gravity: 2/4
– Consequences: user access/rights, denial of service of client
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 24/09/2008
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
A PNG image is composed of a series of fragments identified by
four letters:
– IHDR : header
– IDAT : image data
– tEXT : text
– zTXt : compressed text with zlib
The png_push_read_zTXt() function of the libpng-1.2.3x/pngpread.c
file incorrectly computes the size to store the text. This buffer
is short of one byte, which means that the ending null character
(’\0’) is written after the end of the buffer and corrupts the
memory. If the image contains several zTXt fragments, several
bytes are corrupted.
An attacker can therefore create a malicious PNG image in order to
create a denial of service or code execution in applications
linked to libpng.
CHARACTERISTICS
– Identifiers: CVE-2008-3964, VIGILANCE-VUL-8133
– Url: http://vigilance.aql.fr/vulnerability/8133