NSFOCUS绿盟科技

安全研究

安全漏洞

LibPNG不合法PNG越界访问拒绝服务漏洞

发布日期：2004-04-30
更新日期：2004-05-08

受影响系统：

libpng libpng 1.2.5
libpng libpng 1.2.4
libpng libpng 1.2.3
libpng libpng 1.2.1
libpng libpng 1.2.0
libpng libpng 1.0.9
libpng libpng 1.0.8
libpng libpng 1.0.7
libpng libpng 1.0.6
libpng libpng 1.0.5
libpng libpng 1.0.14
libpng libpng 1.0.12
libpng libpng 1.0.11
libpng libpng 1.0
libpng libpng 1.0.13
    - Conectiva Linux 8.0
    - Conectiva Linux 7.0
    - Debian Linux 3.0
    - Mandrake Linux 9.0
    - Mandrake Linux 8.2
    - RedHat Linux 9.0
    - RedHat Linux 8.0
    - RedHat Linux 7.3

描述：

BUGTRAQ  ID: 10244
CVE(CAN) ID: CVE-2004-0421

libpng是多种应用程序使用的解析PNG图象格式的库。

libpng不正确处理部分不合法PNG图象，远程攻击者可以利用这个漏洞对使用这库的应用程序进行拒绝服务攻击。

攻击者构建特殊的PNG文件，可引起连接到libpng库的应用程序打开时，由于越界访问而导致崩溃，产生拒绝服务。

<*来源：Steve Grubb （linux_4ever@yahoo.com）

  链接：http://www.debian.org/security/2004/dsa-498
        http://www.linux-mandrake.com/en/security/2004/2004-040.php
        https://www.redhat.com/support/errata/RHSA-2004-181.html
*>

建议：

厂商补丁：

Debian
------
http://www.debian.org/security/2004/dsa-498

MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告（MDKSA-2004:040）以及相应补丁:
MDKSA-2004:040：Updated libpng packages fix vulnerability
链接：http://www.linux-mandrake.com/en/security/2004/2004-040.php

补丁下载：

Updated Packages:

Mandrakelinux 10.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libpng3-1.2.5-10.2.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libpng3-devel-1.2.5-10.2.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libpng3-static-devel-1.2.5-10.2.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/libpng-1.2.5-10.2.100mdk.src.rpm

Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/libpng3-1.2.4-3.4.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/libpng3-devel-1.2.4-3.4.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/libpng3-static-devel-1.2.4-3.4.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/libpng-1.2.4-3.4.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/libpng3-1.2.4-3.4.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/libpng3-devel-1.2.4-3.4.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/libpng3-static-devel-1.2.4-3.4.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/libpng-1.2.4-3.4.C21mdk.src.rpm

Mandrakelinux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libpng3-1.2.5-2.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libpng3-devel-1.2.5-2.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libpng3-static-devel-1.2.5-2.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/libpng-1.2.5-2.2.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libpng3-1.2.5-2.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libpng3-devel-1.2.5-2.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libpng3-static-devel-1.2.5-2.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/libpng-1.2.5-2.2.91mdk.src.rpm

Mandrakelinux 9.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/libpng3-1.2.5-7.2.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/libpng3-devel-1.2.5-7.2.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/libpng3-static-devel-1.2.5-7.2.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/libpng-1.2.5-7.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/lib64png3-1.2.5-7.2.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/lib64png3-devel-1.2.5-7.2.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/lib64png3-static-devel-1.2.5-7.2.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/libpng-1.2.5-7.2.92mdk.src.rpm

Multi Network Firewall 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/RPMS/libpng3-1.2.4-3.4.M82mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/SRPMS/libpng-1.2.4-3.4.M82mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification

上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载：
http://www.mandrakesecure.net/en/ftp.php

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2004:181-01）以及相应补丁:
RHSA-2004:181-01：Updated libpng packages fix crash
链接：https://www.redhat.com/support/errata/RHSA-2004-181.html

补丁下载：

RedHat libpng-1.2.2-20.i386.rpm :

RedHat RPM libpng-1.2.2-20.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libpng-1.2.2-20.i386.rpm

RedHat libpng-devel-1.2.2-20.i386.rpm :

RedHat RPM libpng-devel-1.2.2-20.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libpng-devel-1.2.2-20.i386.rpm

RedHat libpng10-1.0.13-11.i386.rpm :

RedHat RPM libpng10-1.0.13-11.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libpng10-1.0.13-11.i386.rpm

RedHat libpng10-devel-1.0.13-11.i386.rpm :

RedHat RPM libpng10-devel-1.0.13-11.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libpng10-devel-1.0.13-11.i386.rpm

浏览次数：3315
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客