CVE-2011-3048

Name of the Vulnerable Software and Affected Versions libpng versions 1.0.x through 1.0.58 libpng versions 1.2.x through 1.2.48 libpng versions 1.4.x through 1.4.10 libpng versions 1.5.x through 1.5.9

Description The issue is related to the png set text 2 function in pngset.c, which allows remote attackers to cause a denial of service or execute arbitrary code via a crafted text chunk in a PNG image file. This triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow. The vulnerability can be exploited remotely and may lead to a disruption of confidentiality, integrity, and availability of protected information.

Recommendations For libpng versions 1.0.x through 1.0.58, update to version 1.0.59 or later. For libpng versions 1.2.x through 1.2.48, update to version 1.2.49 or later. For libpng versions 1.4.x through 1.4.10, update to version 1.4.11 or later. For libpng versions 1.5.x through 1.5.9, update to version 1.5.10 or later. As a temporary workaround, consider disabling the png set text 2 function until a patch is available. Restrict access to PNG image files to minimize the risk of exploitation. Avoid using crafted text chunks in PNG image files until the issue is resolved.