CVE-2010-0205Uncontrolled Resource Consumption in Libpng

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling8 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
4.6%
top 10.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Apple MAC OS XLibpngCanonical Ubuntu Linux+4 more
Timeline
PublishedMar 3
Latest updateDec 29

Description

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, rela

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

NVDlibpng/libpng1.0.01.0.53+2
NVDapple/mac_os_x< 10.6.5
NVDopensuse/opensuse11.0, 11.1, 11.2+2

Also affects: Debian Linux 5.0, 6.0, Fedora 11, 12, 13, Ubuntu Linux 6.06, 8.04, 8.10, 9.04, 9.10

Patches

Patch: www.securityfocus.comPatch: www.securityfocus.com

🔴Vulnerability Details

2
GHSA
GHSA-qjvj-64rf-p4qg: The png_decompress_chunk function in pngrutil2022-05-02
CVEList
CVE-2010-0205: The png_decompress_chunk function in pngrutil2010-03-03

📋Vendor Advisories

2
Ubuntu
libpng vulnerabilities2010-03-16
Red Hat
libpng: excessive memory consumption due to highly compressed huge ancillary chunk2010-03-01

📄Research Papers

1
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware2022-12-29

💬Community

2
Bugzilla
CVE-2014-0205 kernel: futex: refcount issue in case of requeue2014-05-05
Bugzilla
CVE-2010-0205 libpng: excessive memory consumption due to highly compressed huge ancillary chunk2010-02-17
CVE-2010-0205 — Uncontrolled Resource Consumption | cvebase