Note: This is an archival copy of Security Sun Alert 259989 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020521.1.
SUNBUG: 6745161, SUNBUG: 6755267, SUNBUG: 6813939
Date of Workaround Release
Security Vulnerability in Solaris libpng(3) May Allow Denial of Service (DoS) or Privilege Escalation
Multiple security vulnerabilities in libpng(3), which is shipped
with Solaris, may allow a local or remote unprivileged user to cause a
Denial of Service (DoS) of applications linked to libpng(3), or
potentially to execute arbitrary code with the privileges of the user
running the application, when a user has loaded a specially crafted
Portable Network Graphics (PNG) format image file (.png) supplied by an
CERT VU#649212 http://www.kb.cert.org/vuls/id/649212
2. Contributing Factors
This issue can occur in the following releases:
Note 1: OpenSolaris distributions may include additional bug
fixes above and beyond the build from which it was derived.
$ uname -v
Note 2: To determine if an application has a dynamic
dependency on the libpng(3) library, the ldd(1) utility can be used,
$ ldd /bin/evince | grep libpng
However, some applications may use libpng(3) but not report libpng
as a dynamic dependency with ldd(1) if the library is loaded by
dlopen(3C). Therefore, to display all shared objects used by an
application, pldd(1) should be used against the running process:
$ pldd <pid of application> | grep libpng
If the described issues are exploited to cause a Denial of Service
(DoS), the application which links to the libpng(3) library will exit
and may generate an error message about a Segmentation Fault, possibly
writing a core(4) file.
There are no predictable symptoms which would indicate that these issues have been exploited to execute arbitrary code.