CVE-2010-0205

Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 03 Mar 2010, 19:00
Last modified:07 Aug 2024, 00:37

Vulnerability Summary

Overall Risk (default)
low
18/100
CVSS Score
4.3 MEDIUM
v2.0 (nvd)
EPSS Score
4.58% LOW
5% probability -5.20%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

03 Mar 2010, 19:00
Published
Vulnerability first disclosed
07 Aug 2024, 00:37
Last Modified
Vulnerability information updated

Description

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.

CVSS Metrics

  • v2.0MEDIUMScore: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 4.58% Percentile: 89%

Techniques & Countermeasures

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

  • applemac_os_x

    < 10.6.5

  • canonicalubuntu_linux

    6.06 | 8.04 | 8.10 | 9.04 | 9.10

  • debiandebian_linux

    5.0 | 6.0

  • fedoraprojectfedora

    11 | 12 | 13

  • libpnglibpng

    ≥ 1.0.0, < 1.0.53 | ≥ 1.2.0, < 1.2.43 | ≥ 1.4.0, < 1.4.1

  • opensuseopensuse

    11.0 | 11.1 | 11.2

  • suselinux_enterprise_server

    9 | 10:sp3 | 11 | 11:sp1

References (35)