Vulnerability Description
The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 12.04 |
| Libpng | Libpng | 1.4.0 |
| Opensuse | Opensuse | 11.4 |
| Redhat | Libpng | 1.2.2-16 |
| Debian | Debian Linux | 6.0 |
Related Weaknesses (CWE)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668082Third Party Advisory
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://lists.opensuse.org/opensuse-updates/2012-08/msg00004.htmlThird Party Advisory
- http://www.openwall.com/lists/oss-security/2012/07/24/3
- http://www.openwall.com/lists/oss-security/2012/07/24/5
- http://www.ubuntu.com/usn/USN-2815-1Third Party Advisory
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668082Third Party Advisory
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=blob%3Bf=CH
- http://lists.opensuse.org/opensuse-updates/2012-08/msg00004.htmlThird Party Advisory
FAQ
What is CVE-2012-3425?
CVE-2012-3425 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out...
How severe is CVE-2012-3425?
CVE-2012-3425 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-3425?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Libpng Libpng, Opensuse Opensuse, Redhat Libpng, Debian Debian Linux.