CVE-2011-3045

Publication date 20 March 2012

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

8.8 · High

Score breakdown

Description

Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.

Read the notes from the security team

Status

Package Ubuntu Release Status
chromium-browser 12.04 LTS precise
Not affected
11.10 oneiric
Not affected
11.04 natty
Not affected
10.10 maverick
Not affected
10.04 LTS lucid
Not affected
8.04 LTS hardy Not in release
firefox 12.04 LTS precise
Not affected
11.10 oneiric
Not affected
11.04 natty
Not affected
10.10 maverick Ignored end of life
10.04 LTS lucid
Not affected
8.04 LTS hardy Ignored end of life
libpng 12.04 LTS precise
Fixed 1.2.46-3ubuntu3
11.10 oneiric
Fixed 1.2.46-3ubuntu1.2
11.04 natty
Fixed 1.2.44-1ubuntu3.3
10.10 maverick
Fixed 1.2.44-1ubuntu0.3
10.04 LTS lucid
Fixed 1.2.42-1ubuntu2.4
8.04 LTS hardy
Fixed 1.2.15~beta5-3ubuntu0.6
thunderbird 12.04 LTS precise
Not affected
11.10 oneiric
Not affected
11.04 natty
Not affected
10.10 maverick Ignored end of life
10.04 LTS lucid
Not affected
8.04 LTS hardy Ignored end of life

Notes

jdstrand

firefox and thunderbird 16 are not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libpng

Severity score breakdown

CVSS version: CVSS v3.0

Base score 8.8 · High

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities