{"vuid":"VU#477046","idnumber":"477046","name":"libpng malformed cHRM divide-by-zero vulnerability","keywords":["libpng","DoS","cHRM"],"overview":"libpng crashes when processing malformed cHRM chunks.","clean_desc":"When libpng encounters a cHRM chunk that is malformed it will perform a divide-by-zero causing libpng to crash. This bug was introduced in libpng version 1.5.4 and has been fixed in libpng version 1.5.5.","impact":"By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash. The PNG Development Group has stated that: Such malformed PNG files are not necessarily malevolent (ones have been observed on the Internet that were created by accident) but they will cause a crash anyway.","resolution":"Apply an Update This vulnerability is addressed in the following libpng versions: libpng-1.5.5","workarounds":"The PNG Development Group recommends upgrading to libpng-1.5.5. However, if you must continue to use libpng-1.5.4, you can apply the following patch to libpng-1.5.4: --- a/libpng/pngrutil.c\n+++ b/libpng/pngrutil.c\n@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop\ninfo_ptr, png_uint_32 length) png_uint_32 w = y_red + y_green + y_blue; - png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *\n- 32768)/w); - png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green\n- * 32768)/w); - png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *\n- 32768)/w); + if (w != 0) + png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *\n+ 32768)/w); + png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green\n+ * 32768)/w); + png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *\n+ 32768)/w); #endif","sysaffected":"According to The PNG Development Group: Those that use a \"s","thanks":"Thanks to Glenn Randers-Pehrson of the PNG Development Group for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["http://libpng.sf.net/index.html","ftp://ftp.simplesystems.org/pub/png/src","https://sourceforge.net/tracker/index.php?func=detail&aid=3406145&group_id=5624&atid=105624"],"cveids":["CVE","2011-3328"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2011-09-09T12:03:01Z","publicdate":"2011-09-22T00:00:00Z","datefirstpublished":"2011-09-22T19:46:56Z","dateupdated":"2011-09-23T11:27:06Z","revision":16,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"15","cam_impact":"3","cam_easeofexploitation":"2","cam_attackeraccessrequired":"12","cam_scorecurrent":"0.06075","cam_scorecurrentwidelyknown":"0.46575","cam_scorecurrentwidelyknownexploited":"0.87075","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.06075,"vulnote":null}