Vulnerabilidad en libpng (CVE-2009-2042)
Gravedad CVSS v2.0:
MEDIA
Tipo:
CWE-200
Revelación de información
Fecha de publicación:
12/06/2009
Última modificación:
09/04/2025
Descripción
libpng anteriores a v1.2.37 no parsea adecuadamente 1-bit de imágenes entrelazadas con valores de ancho que no son divisibles por 8, lo que produce que libpng incluya bits sin inicializar en ciertas filas del fichero PNG lo que permitiría atacantes remotos leer trozos de memoria sensible a través de "pixeles fuera de rango" en el fichero.
Impacto
Puntuación base 2.0
4.30
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:* | 1.2.35 (incluyendo) | |
| cpe:2.3:a:libpng:libpng:0.89c:*:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:0.95:*:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.7:beta17:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.7:beta18:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.7:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.7:rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.8:beta1:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.8:beta2:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.8:beta3:*:*:*:*:*:* | ||
| cpe:2.3:a:libpng:libpng:1.0.8:beta4:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://archives.neohapsis.com/archives/bugtraq/2010-04/0077.html
- http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0121.html
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://lists.vmware.com/pipermail/security-announce/2010/000090.html
- http://secunia.com/advisories/35346
- http://secunia.com/advisories/35470
- http://secunia.com/advisories/35524
- http://secunia.com/advisories/35594
- http://secunia.com/advisories/39206
- http://secunia.com/advisories/39215
- http://secunia.com/advisories/39251
- http://security.gentoo.org/glsa/glsa-200906-01.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.551809
- http://support.apple.com/kb/HT4077
- http://ubuntu.com/usn/usn-913-1
- http://www.debian.org/security/2010/dsa-2032
- http://www.libpng.org/pub/png/libpng.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2010%3A063
- http://www.securityfocus.com/bid/35233
- http://www.vmware.com/security/advisories/VMSA-2010-0007.html
- http://www.vupen.com/english/advisories/2009/1510
- http://www.vupen.com/english/advisories/2010/0637
- http://www.vupen.com/english/advisories/2010/0682
- http://www.vupen.com/english/advisories/2010/0847
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50966
- https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00218.html
- https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00630.html
- http://archives.neohapsis.com/archives/bugtraq/2010-04/0077.html
- http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0121.html
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://lists.vmware.com/pipermail/security-announce/2010/000090.html
- http://secunia.com/advisories/35346
- http://secunia.com/advisories/35470
- http://secunia.com/advisories/35524
- http://secunia.com/advisories/35594
- http://secunia.com/advisories/39206
- http://secunia.com/advisories/39215
- http://secunia.com/advisories/39251
- http://security.gentoo.org/glsa/glsa-200906-01.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.551809
- http://support.apple.com/kb/HT4077
- http://ubuntu.com/usn/usn-913-1
- http://www.debian.org/security/2010/dsa-2032
- http://www.libpng.org/pub/png/libpng.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2010%3A063
- http://www.securityfocus.com/bid/35233
- http://www.vmware.com/security/advisories/VMSA-2010-0007.html
- http://www.vupen.com/english/advisories/2009/1510
- http://www.vupen.com/english/advisories/2010/0637
- http://www.vupen.com/english/advisories/2010/0682
- http://www.vupen.com/english/advisories/2010/0847
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50966
- https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00218.html
- https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00630.html