CVE-2009-2042

Publication date 12 June 2009

Last updated 24 July 2024

libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libpng	9.10 karmic	Not affected
	9.04 jaunty	Fixed 1.2.27-2ubuntu2.1
	8.10 intrepid	Fixed 1.2.27-1ubuntu0.2
	8.04 LTS hardy	Fixed 1.2.15~beta5-3ubuntu0.2
	6.06 LTS dapper	Fixed 1.2.8rel-5ubuntu0.5
mozilla-thunderbird	9.10 karmic	Not in release
	9.04 jaunty	Not in release
	8.10 intrepid	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Ignored
seamonkey	9.10 karmic	Ignored
	9.04 jaunty	Ignored
	8.10 intrepid	Ignored
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Not in release
thunderbird	9.10 karmic	Ignored
	9.04 jaunty	Ignored
	8.10 intrepid	Ignored
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Not in release
xulrunner	9.10 karmic	Ignored
	9.04 jaunty	Ignored
	8.10 intrepid	Ignored
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Not in release
xulrunner-1.9	9.10 karmic	Not in release
	9.04 jaunty	Fixed 1.9.0.7+nobinonly-0ubuntu1
	8.10 intrepid	Fixed 1.9.0.7+nobinonly-0ubuntu0.8.10.1
	8.04 LTS hardy	Fixed 1.9.0.7+nobinonly-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release
xulrunner-1.9.1	9.10 karmic	Not affected
	9.04 jaunty	Fixed 1.9.1.3+build1+nobinonly-0ubuntu0.9.04.2
	8.10 intrepid	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libpng	Vendor: https://bugzilla.redhat.com/attachment.cgi?id=347014&action=diff Vendor: https://bugzilla.redhat.com/attachment.cgi?id=347015&action=diff

CVE-2009-2042

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references