NVD Vulnerability Detail

CVE-2020-28248

Summary	An integer overflow in the PngImg::InitStorage_() function of png-img before 3.1.0 leads to an under-allocation of heap memory and subsequently an exploitable heap-based buffer overflow when loading a crafted PNG file.
Publication Date	Feb. 20, 2021, 9:15 a.m.
Registration Date	Feb. 20, 2021, noon
Last Update	Nov. 21, 2024, 2:22 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:png-img_project:png-img::::::::					3.1.0

Related information, measures and tools

No	URL	タグ
1	https://github.com/gemini-testing/png-img	Product
2	https://github.com/gemini-testing/png-img	Product
3	https://github.com/gemini-testing/png-img/commit/14ac462a32ca4b3b78f56502ac976d5b0222ce3d	Patch Third Party Advisory
4	https://github.com/gemini-testing/png-img/commit/14ac462a32ca4b3b78f56502ac976d5b0222ce3d	Patch Third Party Advisory
5	https://github.com/gemini-testing/png-img/compare/v3.0.0...v3.1.0	Release Notes Third Party Advisory
6	https://github.com/gemini-testing/png-img/compare/v3.0.0...v3.1.0	Release Notes Third Party Advisory
7	https://securitylab.github.com/advisories/GHSL-2020-142-gemini-png-img	Exploit Third Party Advisory
8	https://securitylab.github.com/advisories/GHSL-2020-142-gemini-png-img	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-787	境界外書き込み	https://cwe.mitre.org/data/definitions/787.html
2	CWE-190	整数オーバーフローまたはラップアラウンド	https://cwe.mitre.org/data/definitions/190.html

JVN Vulnerability Information

png-img における整数オーバーフローの脆弱性

Title	png-img における整数オーバーフローの脆弱性
Summary	png-img には、整数オーバーフローの脆弱性、および境界外書き込みの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 6, 2020, midnight
Registration Date	Nov. 9, 2021, 2:31 p.m.
Last Update	Nov. 9, 2021, 2:31 p.m.

Affected System

png-img

png-img 3.1.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-28248	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28248
National Vulnerability Database (NVD)
2	CVE-2020-28248	https://nvd.nist.gov/vuln/detail/CVE-2020-28248

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-190	https://cwe.mitre.org/data/definitions/190.html
2	CWE-787	https://cwe.mitre.org/data/definitions/787.html

ベンダー情報

No	Name	URL
GitHub
1	Comparing changes	https://github.com/gemini-testing/png-img/compare/v3.0.0...v3.1.0
2	Handle image size overflow	https://github.com/gemini-testing/png-img/commit/14ac462a32ca4b3b78f56502ac976d5b0222ce3d
3	Rashid Ksirov 3.3.1	https://github.com/gemini-testing/png-img

Change Log

No	Changed Details	Date of change
1	[2021年11月09日] 掲載	Nov. 9, 2021, 2:31 p.m.