CVE-2014-0333

Name of the Vulnerable Software and Affected Versions libpng versions 1.6.x through 1.6.9

Description The issue allows remote attackers to cause a denial of service, resulting in an infinite loop and excessive CPU consumption. This can be achieved through a specially crafted IDAT chunk with a length of zero. The png push read chunk function in pngpread.c is the vulnerable component.

Recommendations For libpng versions 1.6.x through 1.6.9, consider updating to a version prior to 1.6.10 to resolve the issue. As a temporary workaround, consider disabling the png push read chunk function until a patch is available. Restrict access to the progressive decoder in libpng to minimize the risk of exploitation. Avoid using IDAT chunks with a length of zero in the affected API endpoint until the issue is resolved.