CVE-2008-5907 — Vulnetix

Try Vulnetix Request Demo

CVE-2008-5907 PUBLISHED CVSS 5 MEDIUM

The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability.

EPSS 0.79% · 73.7th percentile

Risk Scores

CVSS v2.0

5

EPSS Score

0.79%

73.7th percentile

Affected Products

Vendor	Product	Versions
debian	debian_linux	4.0, 5.0
n/a	n/a	n/a
libpng	libpng	0, 1.2.0

Timeline

Jan 15, 2009 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 19, 2023 EPSS Score

References

http://libpng.sourceforge.net/index.html url
GLSA-200903-28 vendor-advisory
libpng-pngcheckkeyword-memory-corruption(48128) vdb
SUSE-SR:2009:003 vendor-advisory
34388 third-party-advisory
DSA-1750 vendor-advisory
[oss-security] 20090109 libpng non issue mailing-list
MDVSA-2009:051 vendor-advisory
34320 third-party-advisory
[png-mng-implement] 20081126 Memory overwriting bug in png_check_keyword() mailing-list
https://nvd.nist.gov/vuln/detail/CVE-2008-5907 advisory

Open in Interactive Console →