製品・ソフトウェアに関する情報

JVN脆弱性詳細

libpng におけるサービス運用妨害 (DoS) 状態の脆弱性

Title	libpng におけるサービス運用妨害 (DoS) 状態の脆弱性
Summary	libpng には、PNG ファイルの処理に不備があることにより、サービス運用妨害 (DoS) 状態となる、またはその他の詳細不明な影響を受ける脆弱性が存在します。
Possible impacts	巧妙に細工された zTXt チャンクを含む PNG ファイルを処理することにより、サービス運用妨害 (DoS) 状態となる、またはその他の詳細不明な影響を受ける可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 11, 2008, midnight
Registration Date	July 6, 2009, 12:17 p.m.
Last Update	April 18, 2012, 5:52 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:N/A:P

Affected System

サン・マイクロシステムズ

OpenSolaris (sparc)

OpenSolaris (x86)

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

Sun Solaris 9 (sparc)

Sun Solaris 9 (x86)

PNG Development Group

libpng 1.2.32beta01 未満

libpng 1.4.0beta34 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-3964	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964
National Vulnerability Database (NVD)
2	CVE-2008-3964	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3964

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html

ベンダー情報

No	Name	URL
libpng.org
1	Top Page	http://www.libpng.org/
SECURITY BLOG
2	Multiple Denial of Service vulnerabilities in libpng	https://blogs.oracle.com/sunsecurity/entry/multiple_denial_of_service_vulnerabilities6
Sun Alert Notification
3	259989	http://download.oracle.com/sunalerts/1020521.1.html

その他

No	Name	URL
Secunia Advisory
1	SA31781	http://secunia.com/advisories/31781
2	SA35302	http://secunia.com/advisories/35302
SecurityFocus
3	31049	http://www.securityfocus.com/bid/31049
US-CERT Vulnerability Note
4	VU#889484	http://www.kb.cert.org/vuls/id/889484
VUPEN Security
5	VUPEN/ADV-2008-2512	http://www.vupen.com/english/advisories/2008/2512
6	VUPEN/ADV-2009-1462	http://www.vupen.com/english/advisories/2009/1462

Change Log

No	Changed Details	Date of change
0	[2009年07月06日] 掲載 [2012年04月18日] ベンダ情報：オラクル (Multiple Denial of Service vulnerabilities in libpng) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-3964

Summary	Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.
Summary	Múltiples desbordamientos de entero en libpng versiones anteriores a 1.2.32beta01, y 1.4 versiones anteriores a 1.4.0beta34, permiten a atacantes dependientes de contexto provocar una denegación de servicio (caída) o tener otros impactos desconocidos a través de una imagen PNG con fragmentos zTXt manipulados, relacionado con (1) la función png_push_read_zTXt en pngread.c, y posiblemente relacionado con (2) pngtest.c.
Publication Date	Sept. 11, 2008, 10:13 a.m.
Registration Date	Jan. 29, 2021, 1:41 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:libpng:libpng::::::::				1.2.32
cpe:2.3:a:libpng:libpng:1.4.0:beta1::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta10::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta11::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta12::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta13::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta14::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta15::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta16::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta17::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta18::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta19::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta2::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta20::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta21::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta22::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta23::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta24::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta25::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta26::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta27::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta28::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta29::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta3::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta30::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta31::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta32::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta33::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta4::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta5::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta6::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta7::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta8::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta9::::::

Related information, measures and tools

No	URL	refsource
1	http://secunia.com/advisories/31781	cve@mitre.org
2	http://secunia.com/advisories/33137	cve@mitre.org
3	http://secunia.com/advisories/35302	cve@mitre.org
4	http://secunia.com/advisories/35386	cve@mitre.org
5	http://security.gentoo.org/glsa/glsa-200812-15.xml	cve@mitre.org
6	http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0809180317u6a5306fg14683947affb3e1b%40mail.gmail.com&forum_name=png-mng-implement	cve@mitre.org
7	http://sourceforge.net/project/shownotes.php?group_id=5624&release_id=624517	cve@mitre.org
8	http://sourceforge.net/project/shownotes.php?release_id=624518	cve@mitre.org
9	http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624	cve@mitre.org
10	http://sunsolve.sun.com/search/document.do?assetkey=1-66-259989-1	cve@mitre.org
11	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020521.1-1	cve@mitre.org
12	http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm	cve@mitre.org
13	http://www.kb.cert.org/vuls/id/889484	cve@mitre.org
14	http://www.mandriva.com/security/advisories?name=MDVSA-2009:051	cve@mitre.org
15	http://www.openwall.com/lists/oss-security/2008/09/09/3	cve@mitre.org
16	http://www.openwall.com/lists/oss-security/2008/09/09/8	cve@mitre.org
17	http://www.securityfocus.com/bid/31049	cve@mitre.org
18	http://www.vupen.com/english/advisories/2008/2512	cve@mitre.org
19	http://www.vupen.com/english/advisories/2009/1462	cve@mitre.org
20	http://www.vupen.com/english/advisories/2009/1560	cve@mitre.org
21	https://exchange.xforce.ibmcloud.com/vulnerabilities/44928	cve@mitre.org
22	http://secunia.com/advisories/31781	af854a3a-2127-422b-91ae-364da2661108
23	http://secunia.com/advisories/33137	af854a3a-2127-422b-91ae-364da2661108
24	http://secunia.com/advisories/35302	af854a3a-2127-422b-91ae-364da2661108
25	http://secunia.com/advisories/35386	af854a3a-2127-422b-91ae-364da2661108
26	http://security.gentoo.org/glsa/glsa-200812-15.xml	af854a3a-2127-422b-91ae-364da2661108
27	http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0809180317u6a5306fg14683947affb3e1b%40mail.gmail.com&forum_name=png-mng-implement	af854a3a-2127-422b-91ae-364da2661108
28	http://sourceforge.net/project/shownotes.php?group_id=5624&release_id=624517	af854a3a-2127-422b-91ae-364da2661108
29	http://sourceforge.net/project/shownotes.php?release_id=624518	af854a3a-2127-422b-91ae-364da2661108
30	http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624	af854a3a-2127-422b-91ae-364da2661108
31	http://sunsolve.sun.com/search/document.do?assetkey=1-66-259989-1	af854a3a-2127-422b-91ae-364da2661108
32	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020521.1-1	af854a3a-2127-422b-91ae-364da2661108
33	http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm	af854a3a-2127-422b-91ae-364da2661108
34	http://www.kb.cert.org/vuls/id/889484	af854a3a-2127-422b-91ae-364da2661108
35	http://www.mandriva.com/security/advisories?name=MDVSA-2009:051	af854a3a-2127-422b-91ae-364da2661108
36	http://www.openwall.com/lists/oss-security/2008/09/09/3	af854a3a-2127-422b-91ae-364da2661108
37	http://www.openwall.com/lists/oss-security/2008/09/09/8	af854a3a-2127-422b-91ae-364da2661108
38	http://www.securityfocus.com/bid/31049	af854a3a-2127-422b-91ae-364da2661108
39	http://www.vupen.com/english/advisories/2008/2512	af854a3a-2127-422b-91ae-364da2661108
40	http://www.vupen.com/english/advisories/2009/1462	af854a3a-2127-422b-91ae-364da2661108
41	http://www.vupen.com/english/advisories/2009/1560	af854a3a-2127-422b-91ae-364da2661108
42	https://exchange.xforce.ibmcloud.com/vulnerabilities/44928	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-193	境界条件の判定	https://cwe.mitre.org/data/definitions/193.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:libpng:libpng::::::::				1.2.32
cpe:2.3:a:libpng:libpng:1.4.0:beta1::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta10::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta11::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta12::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta13::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta14::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta15::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta16::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta17::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta18::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta19::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta2::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta20::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta21::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta22::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta23::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta24::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta25::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta26::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta27::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta28::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta29::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta3::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta30::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta31::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta32::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta33::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta4::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta5::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta6::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta7::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta8::::::
cpe:2.3:a:libpng:libpng:1.4.0:beta9::::::