{"vuid":"VU#889484","idnumber":"889484","name":"libpng off-by-one vulnerability","keywords":["zTXt","pngtest.c","png_push_read_zTXt"],"overview":"A vulnerability exists in libpng that may allow a remote attacker to cause a denial of service.","clean_desc":"A vulnerability in the way libpng handles files that contain multiple zTXt chunks may cause a denial of service. This vulnerability is due to an off-by-one error introduced in the png_push_read_zTXt() function in libpng-1.2.30/pngpread.c. According to the PNG Development Group: Gecko-based applications such as Firefox are not vulnerable because they contain a png_set_keep_unknown_chunks() call that causes the application to ignore the zTXt chunk. Note that this issue affects libpng versions 1.0.38, 1.0.39, 1.2.30, 1.2.31, and libpng-1.4.0beta.","impact":"A remote, unauthorized attacker may be able to cause a denial of service.","resolution":"Upgrade\n The PNG Development Group has issued an upgrade to address this issue. See libpng version 1.2.32 for more information.","workarounds":"","sysaffected":"","thanks":"This issue was reported by the \nPNG Development Group in \nlibpng version 1.2.32","author":"This document was written by Chris Taschner.","public":["http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624","http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0809180317u6a5306fg14683947affb3e1b%40mail.gmail.com&forum_name=png-mng-implement"],"cveids":["CVE-2008-3964"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2008-09-22T12:06:53Z","publicdate":"2008-09-05T00:00:00Z","datefirstpublished":"2008-10-02T18:14:52Z","dateupdated":"2008-10-02T19:57:15Z","revision":9,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"17","cam_exploitation":"20","cam_internetinfrastructure":"5","cam_population":"7","cam_impact":"3","cam_easeofexploitation":"12","cam_attackeraccessrequired":"20","cam_scorecurrent":"3.969","cam_scorecurrentwidelyknown":"4.2525","cam_scorecurrentwidelyknownexploited":"4.2525","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":3.969,"vulnote":null}