Upstream information

CVE-2008-5907 at MITRE

Description

The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5
Vector AV:N/AC:L/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
SUSE Bugzilla entries: 467308 [RESOLVED / FIXED], 608040 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Server 11 SP1
  • libpng12-0 >= 1.2.31-5.12.1
  • libpng12-0-32bit >= 1.2.31-5.12.1
  • libpng12-0-x86 >= 1.2.31-5.12.1
Patchnames:
SUSE Linux Enterprise Server 11 SP1 GA libpng12-0
SUSE Linux Enterprise Server 11 SP2
  • libpng12-0 >= 1.2.31-5.25.1
  • libpng12-0-32bit >= 1.2.31-5.25.1
  • libpng12-0-x86 >= 1.2.31-5.25.1
Patchnames:
SUSE Linux Enterprise Server 11 SP2 GA libpng12-0
SUSE Linux Enterprise Server 11 SP3
  • libpng12-0 >= 1.2.31-5.31.1
  • libpng12-0-32bit >= 1.2.31-5.31.1
  • libpng12-0-x86 >= 1.2.31-5.31.1
Patchnames:
SUSE Linux Enterprise Server 11 SP3 GA libpng12-0
SUSE Linux Enterprise Server 11 SP4
  • libpng12-0 >= 1.2.31-5.33.1
  • libpng12-0-32bit >= 1.2.31-5.33.1
  • libpng12-0-x86 >= 1.2.31-5.33.1
Patchnames:
SUSE Linux Enterprise Server 11 SP4 GA libpng12-0
SUSE Linux Enterprise Software Development Kit 11 SP4
  • libpng-devel >= 1.2.31-5.33.1
  • libpng-devel-32bit >= 1.2.31-5.33.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 11 SP4 GA libpng-devel
openSUSE 11.0
  • libpng12-0-debuginfo >= 1.2.26-14.4
  • libpng12-0-debugsource >= 1.2.26-14.4
openSUSE 11.0
  • libpng-devel >= 1.2.26-14.4
  • libpng-devel-32bit >= 1.2.26-14.4
  • libpng-devel-64bit >= 1.2.26-14.4
  • libpng12-0 >= 1.2.26-14.4
  • libpng12-0-32bit >= 1.2.26-14.4
  • libpng12-0-64bit >= 1.2.26-14.4
  • libpng3 >= 1.2.26-14.4
openSUSE 11.1
  • libpng12-0-debuginfo >= 1.2.31-4.35.1
  • libpng12-0-debuginfo-32bit >= 1.2.31-4.35.1
  • libpng12-0-debuginfo-64bit >= 1.2.31-4.35.1
  • libpng12-0-debugsource >= 1.2.31-4.35.1
openSUSE 11.1
  • libpng-devel >= 1.2.31-4.35.1
  • libpng-devel-32bit >= 1.2.31-4.35.1
  • libpng-devel-64bit >= 1.2.31-4.35.1
  • libpng12-0 >= 1.2.31-4.35.1
  • libpng12-0-32bit >= 1.2.31-4.35.1
  • libpng12-0-64bit >= 1.2.31-4.35.1
  • libpng3 >= 1.2.31-4.35.1
Novell Linux Desktop 9 for x86
Open Enterprise Server
  • libpng >= 1.2.5-182.20
  • libpng-devel >= 1.2.5-182.20
core9.ppc
sles9-oes.x86
core9.x86-64
core9.ia64
core9.s390
sles9-nld.x86-64
sles9-nld.x86
core9.s390x
core9.x86
sles9-nlpos.x86
YOU Patch Nr: 12339
Novell Linux Desktop 9 for x86_64
  • libpng >= 1.2.5-182.20
  • libpng-32bit >= 9-200901202355
  • libpng-devel >= 1.2.5-182.20
core9.ppc
sles9-oes.x86
core9.x86-64
core9.ia64
core9.s390
sles9-nld.x86-64
sles9-nld.x86
core9.s390x
core9.x86
sles9-nlpos.x86
YOU Patch Nr: 12339