Note: This is an archival copy of Security Sun Alert 201606 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001205.1.
Article ID : 1001205.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Multiple Security Vulnerabilities in the Portable Network Graphics (PNG) Library libpng(3)

Category
Security

Release Phase
Resolved

Bug Id
5075227

Date of Workaround Release
06-AUG-2004

Date of Resolved Release
14-OCT-2004

Impact

Multiple vulnerabilities in libpng(3) may allow a remote unprivileged user to execute arbitrary code with the privileges of a local user, when that local user has loaded a Portable Network Graphics (PNG) format image file (.png) supplied by an untrusted remote user. The PNG file may be picked up in email or loaded from an untrusted web site.

Note: The Portable Network Graphics library (libpng(3)) is used to manipulate and display graphics. Many applications may have been dynamically linked to this library.

This issue is described in the following documents:

Technical Cyber Security Alert TA04-217A at http://www.us-cert.gov/cas/techalerts/TA04-217A.html

Chris Evans Security Advisory 2004.1 at http://scary.beasts.org/security/CESA-2004-001.txt

US-CERT Vulnerability Note VU#388984 at http://www.kb.cert.org/vuls/id/388984

US-CERT Vulnerability Note VU#817368 at http://www.kb.cert.org/vuls/id/817368

US-CERT Vulnerability Note VU#286464 at http://www.kb.cert.org/vuls/id/286484

US-CERT Vulnerability Note VU#477512 at http://www.kb.cert.org/vuls/id/477512

US-CERT Vulnerability Note VU#160448 at http://www.kb.cert.org/vuls/id/160448

US-CERT Vulnerability Note VU#236656 at http://www.kb.cert.org/vuls/id/236656

CVE CAN-2004-0597 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • GNOME 2.0 (for Solaris 8) without patch 114816-02
  • GNOME 2.0 (for Solaris 9) without patches 114818-06 and 114820-05
  • GNOME 2.0.2 (for Solaris 9) without patch 114822-04

x86 Platform

  • GNOME 2.0 (for Solaris 8) without patch 114817-02
  • GNOME 2.0 (for Solaris 9) without patch 114819-06

Linux Platform

  • Sun Java Desktop Systems (JDS) release 2003 and JDS release 2 without the updated RPMs (patch-9279)

Note: Solaris 7 is not affected by this issue.

To determine the version of GNOME that is currently installed on the system, run the following command (output will vary by platform): 

    % grep description /usr/share/gnome/gnome-about/gnome-version.xml
<description>fcs-10b</description> for GNOME 2.0 releases
<description>2.0.0_patch-us2</description>

or: 

    <description>s9u4s-2_0_2-08</description> for GNOME 2.0.2 on SPARC
<description>s9u4s-2_0_2_patch-18</description>

or: 

    <description>s9u4x-2_0_2-08</description> for GNOME 2.0.2 Intel
<description>s9u4x-2_0_2_patch-18</description>

Alternatively (for the same results), in a terminal window from within the GNOME desktop, the following command can be run: 

    % /usr/bin/gnome-about

To determine the release of JDS for Linux currently installed on your system, the following command can be run: 

    % cat /etc/sun-release
Sun Java Desktop System, Release 2 -build 10b (GA)
Assembled 30 March 2004

Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.


Workaround

There are two options to work around the described issue:

  1. Do not view untrusted PNG files (or to be completely safe, do not view any PNG files).
  2. Avoid using the libpng(3) library to handle PNG graphics.

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • GNOME 2.0 (for Solaris 8) with patch 114816-02 or later
  • GNOME 2.0 (for Solaris 9) with patches 114818-06 or later and 114820-05 or later
  • GNOME 2.0.2 (for Solaris 9) with patch 114822-04 or later

Note: Both patches for GNOME 2.0 on Solaris 9 must be installed to resolve this issue (114818-06 is 32-bit; 114820-05 is 64-bit).

x86 Platform

  • GNOME 2.0 (for Solaris 8) with patch 114817-02 or later
  • GNOME 2.0 (for Solaris 9) with patch 114819-06 or later

Linux Platform

  • Sun Java Desktop Systems (JDS) release 2003 and JDS release 2 with the updated RPMs (patch-9279)

To download and install the updated RPMs from the update servers, select the following from the "launch" bar: 

    Launch >> Applications >> System Tools >> Online Update


Modification History
Date: 14-OCT-2004
  • Added updated patch information to Contributing Factors and Resolution sections, re-release as "Resolved"

Date: 18-AUG-2004
  • Removed "8/03 or later update release" from Solaris 9 description in "Contributing Factors" section


Product
GNOME 2.0 Desktop

References

114816-02
114817-02
114818-06
114819-06
114820-04
114822-04





Attachments
This solution has no attachment