Note: This is an archival copy of Security Sun Alert 201606 as previously published on
Latest version of this security advisory is available from as Sun Alert 1001205.1.
Article ID : 1001205.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Multiple Security Vulnerabilities in the Portable Network Graphics (PNG) Library libpng(3)


Release Phase

Bug Id

Date of Workaround Release

Date of Resolved Release


Multiple vulnerabilities in libpng(3) may allow a remote unprivileged user to execute arbitrary code with the privileges of a local user, when that local user has loaded a Portable Network Graphics (PNG) format image file (.png) supplied by an untrusted remote user. The PNG file may be picked up in email or loaded from an untrusted web site.

Note: The Portable Network Graphics library (libpng(3)) is used to manipulate and display graphics. Many applications may have been dynamically linked to this library.

This issue is described in the following documents:

Technical Cyber Security Alert TA04-217A at

Chris Evans Security Advisory 2004.1 at

US-CERT Vulnerability Note VU#388984 at

US-CERT Vulnerability Note VU#817368 at

US-CERT Vulnerability Note VU#286464 at

US-CERT Vulnerability Note VU#477512 at

US-CERT Vulnerability Note VU#160448 at

US-CERT Vulnerability Note VU#236656 at

CVE CAN-2004-0597 at

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • GNOME 2.0 (for Solaris 8) without patch 114816-02
  • GNOME 2.0 (for Solaris 9) without patches 114818-06 and 114820-05
  • GNOME 2.0.2 (for Solaris 9) without patch 114822-04

x86 Platform

  • GNOME 2.0 (for Solaris 8) without patch 114817-02
  • GNOME 2.0 (for Solaris 9) without patch 114819-06

Linux Platform

  • Sun Java Desktop Systems (JDS) release 2003 and JDS release 2 without the updated RPMs (patch-9279)

Note: Solaris 7 is not affected by this issue.

To determine the version of GNOME that is currently installed on the system, run the following command (output will vary by platform):

    % grep description /usr/share/gnome/gnome-about/gnome-version.xml
<description>fcs-10b</description> for GNOME 2.0 releases


    <description>s9u4s-2_0_2-08</description> for GNOME 2.0.2 on SPARC


    <description>s9u4x-2_0_2-08</description> for GNOME 2.0.2 Intel

Alternatively (for the same results), in a terminal window from within the GNOME desktop, the following command can be run:

    % /usr/bin/gnome-about

To determine the release of JDS for Linux currently installed on your system, the following command can be run:

    % cat /etc/sun-release
Sun Java Desktop System, Release 2 -build 10b (GA)
Assembled 30 March 2004


There are no reliable symptoms that would indicate the described issue has been exploited.


There are two options to work around the described issue:

  1. Do not view untrusted PNG files (or to be completely safe, do not view any PNG files).
  2. Avoid using the libpng(3) library to handle PNG graphics.


This issue is addressed in the following releases:

SPARC Platform

  • GNOME 2.0 (for Solaris 8) with patch 114816-02 or later
  • GNOME 2.0 (for Solaris 9) with patches 114818-06 or later and 114820-05 or later
  • GNOME 2.0.2 (for Solaris 9) with patch 114822-04 or later

Note: Both patches for GNOME 2.0 on Solaris 9 must be installed to resolve this issue (114818-06 is 32-bit; 114820-05 is 64-bit).

x86 Platform

  • GNOME 2.0 (for Solaris 8) with patch 114817-02 or later
  • GNOME 2.0 (for Solaris 9) with patch 114819-06 or later

Linux Platform

  • Sun Java Desktop Systems (JDS) release 2003 and JDS release 2 with the updated RPMs (patch-9279)

To download and install the updated RPMs from the update servers, select the following from the "launch" bar:

    Launch >> Applications >> System Tools >> Online Update

Modification History
Date: 14-OCT-2004
  • Added updated patch information to Contributing Factors and Resolution sections, re-release as "Resolved"

Date: 18-AUG-2004
  • Removed "8/03 or later update release" from Solaris 9 description in "Contributing Factors" section

GNOME 2.0 Desktop



This solution has no attachment