#VU37894 Integer overflow in OptiPNG and Debian Linux - CVE-2017-1000229


| Updated: 2020-08-08

Vulnerability identifier: #VU37894

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-1000229

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OptiPNG
Other software / Other software solutions
Debian Linux
Operating systems & Components / Operating system

Vendor: cosmin
Debian

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 allows an attacker to remotely execute code or cause denial of service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OptiPNG: 0.7.6

Debian Linux: 0.7.6 - 9.0

External links
https://lists.debian.org/debian-lts-announce/2017/11/msg00030.html
https://security.gentoo.org/glsa/201801-02
https://sourceforge.net/p/optipng/bugs/65/
https://www.debian.org/security/2017/dsa-4058

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for OptiPNG
Fedora 25 update for optipng
Fedora 26 update for optipng
Fedora 27 update for optipng
Fedora EPEL 6 update for optipng
Integer overflow in cosmin OptiPNG