Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2010-0205

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.

Published

2010-03-03T19:30:00.493

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	libpng	libpng	< 1.0.53	Yes
Application	libpng	libpng	< 1.2.43	Yes
Application	libpng	libpng	< 1.4.1	Yes
Operating System	apple	mac_os_x	< 10.6.5	Yes
Operating System	fedoraproject	fedora	11	Yes
Operating System	fedoraproject	fedora	12	Yes
Operating System	fedoraproject	fedora	13	Yes
Operating System	opensuse	opensuse	11.0	Yes
Operating System	opensuse	opensuse	11.1	Yes
Operating System	opensuse	opensuse	11.2	Yes
Operating System	suse	linux_enterprise_server	9	Yes
Operating System	suse	linux_enterprise_server	10	Yes
Operating System	suse	linux_enterprise_server	11	Yes
Operating System	suse	linux_enterprise_server	11	Yes
Operating System	canonical	ubuntu_linux	6.06	Yes
Operating System	canonical	ubuntu_linux	8.04	Yes
Operating System	canonical	ubuntu_linux	8.10	Yes
Operating System	canonical	ubuntu_linux	9.04	Yes
Operating System	canonical	ubuntu_linux	9.10	Yes
Operating System	debian	debian_linux	5.0	Yes
Operating System	debian	debian_linux	6.0	Yes

References

http://libpng.sourceforge.net/ADVISORY-1.4.1.html Third Party Advisory ([email protected])
http://libpng.sourceforge.net/decompression_bombs.html Third Party Advisory ([email protected])
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html Mailing List, Third Party Advisory ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037237.html Third Party Advisory ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037355.html Third Party Advisory ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037364.html Third Party Advisory ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037607.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html Mailing List ([email protected])
http://lists.vmware.com/pipermail/security-announce/2010/000105.html Third Party Advisory ([email protected])
http://osvdb.org/62670 Broken Link ([email protected])
http://secunia.com/advisories/38774 Third Party Advisory ([email protected])
http://secunia.com/advisories/39251 Third Party Advisory ([email protected])
http://secunia.com/advisories/41574 Third Party Advisory ([email protected])
http://support.apple.com/kb/HT4435 Broken Link ([email protected])
http://ubuntu.com/usn/usn-913-1 Third Party Advisory ([email protected])
http://www.debian.org/security/2010/dsa-2032 Third Party Advisory ([email protected])
http://www.kb.cert.org/vuls/id/576029 Third Party Advisory, US Government Resource ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2010:063 Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2010:064 Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/38478 Patch, Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id?1023674 Third Party Advisory, VDB Entry ([email protected])
http://www.vmware.com/security/advisories/VMSA-2010-0014.html Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0517 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0605 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0626 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0637 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0667 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0682 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0686 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/0847 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/1107 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/2491 Third Party Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/56661 Third Party Advisory, VDB Entry ([email protected])
http://libpng.sourceforge.net/ADVISORY-1.4.1.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://libpng.sourceforge.net/decompression_bombs.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037237.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037355.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037364.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037607.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://lists.vmware.com/pipermail/security-announce/2010/000105.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://osvdb.org/62670 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/38774 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/39251 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/41574 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT4435 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://ubuntu.com/usn/usn-913-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2010/dsa-2032 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/576029 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2010:063 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2010:064 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/38478 Patch, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1023674 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.vmware.com/security/advisories/VMSA-2010-0014.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0517 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0605 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0626 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0637 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0667 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0682 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0686 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/0847 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/1107 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/2491 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/56661 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)