CVE-2011-2690

Name of the Vulnerable Software and Affected Versions libpng versions 1.0.x through 1.0.54 libpng versions 1.2.x through 1.2.44 libpng versions 1.4.x through 1.4.7 libpng versions 1.5.x through 1.5.3 libpng versions prior to 1.5.10

Description The issue is related to multiple vulnerabilities in the libpng package, which can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. A buffer overflow vulnerability is present in libpng when used by an application that calls the png rgb to gray function but not the png set expand function, allowing remote attackers to overwrite memory with an arbitrary amount of data via a crafted PNG image.

Recommendations For libpng versions 1.0.x through 1.0.54, update to version 1.0.55 or later. For libpng versions 1.2.x through 1.2.44, update to version 1.2.45 or later. For libpng versions 1.4.x through 1.4.7, update to version 1.4.8 or later. For libpng versions 1.5.x through 1.5.3, update to version 1.5.4 or later. For libpng versions prior to 1.5.10, update to version 1.5.10 or later. As a temporary workaround, consider restricting the use of libpng until a patch is available. Avoid using the png rgb to gray function without the png set expand function in affected applications.