CVE-2014-0333

Publication date 27 February 2014

Last updated 24 July 2024

The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libpng	13.10 saucy	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

only 1.6.0+

jdstrand

libpng1.6 1.6.8-2 is affected, but not in the Ubuntu archive

References

MITRE
NVD
Launchpad
Debian

Other references

http://www.kb.cert.org/vuls/id/684412
https://sourceforge.net/projects/libpng/files/libpng16/patch-libpng16-vu684412.diff
https://www.cve.org/CVERecord?id=CVE-2014-0333