CVE-2006-5793

Name of the Vulnerable Software and Affected Versions: libpng versions 1.0.6 through 1.2.12

Description: The issue is related to the sPLT chunk handling code in libpng, specifically the png set sPLT function in pngset.c, which uses a sizeof operator on the wrong data type. This allows attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read. The vulnerability can be exploited remotely and may lead to disruption of protected information. Additionally, it may allow an attacker to execute arbitrary code using a specially crafted PNG file.

Recommendations: For libpng versions 1.0.6 through 1.2.12, update to version 1.2.13 or later to resolve the issue. As a temporary workaround, consider restricting the use of libpng until a patch is available. Avoid using libpng to process untrusted PNG files until the issue is resolved.