CVE Vulnerability

CVE-2008-5907

The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

References
Link Resource
http://libpng.sourceforge.net/index.html Third Party Advisory
http://openwall.com/lists/oss-security/2009/01/09/1 Mailing List Third Party Advisory
http://sourceforge.net/mailarchive/forum.php?thread_name=4B6F0239C13D0245820603C036D180BC79FBAA%40CABOTUKEXCH01.cabot.local&forum_name=png-mng-implement Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:051 Third Party Advisory
http://security.gentoo.org/glsa/glsa-200903-28.xml Third Party Advisory
http://secunia.com/advisories/34320 Third Party Advisory
http://secunia.com/advisories/34388 Third Party Advisory
http://www.debian.org/security/2009/dsa-1750 Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/48128 Third Party Advisory VDB Entry
Configurations

Configuration 1

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
Information

Published : 2009-01-15 05:30

Updated : 2018-11-08 08:18

NVD link : CVE-2008-5907

Mitre link : CVE-2008-5907

Products Affected
No products.
CWE
NVD-CWE-noinfo