{"id":"CVE-2017-12652","details":"libpng before 1.6.32 does not properly check the length of chunks against the user limit.","modified":"2026-03-15T22:14:44.741256Z","published":"2019-07-10T15:15:10.993Z","related":["SUSE-SU-2019:3060-2","SUSE-SU-2020:0911-1","SUSE-SU-2023:3799-1","openSUSE-SU-2024:10971-1","openSUSE-SU-2024:10972-1"],"references":[{"type":"WEB","url":"https://support.f5.com/csp/article/K88124225?utm_source=f5support&utm_medium=RSS"},{"type":"WEB","url":"https://support.f5.com/csp/article/K88124225?utm_source=f5support&amp%3Butm_medium=RSS"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/109269"},{"type":"ADVISORY","url":"https://github.com/glennrp/libpng/blob/df7e9dae0c4aac63d55361e35709c864fa1b8363/ANNOUNCE"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220506-0003/"},{"type":"ADVISORY","url":"https://support.f5.com/csp/article/K88124225"},{"type":"FIX","url":"https://github.com/pnggroup/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/glennrp/libpng","events":[{"introduced":"0"},{"fixed":"df7e9dae0c4aac63d55361e35709c864fa1b8363"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.6.32"}]}},{"type":"GIT","repo":"https://github.com/pnggroup/libpng","events":[{"introduced":"0"},{"fixed":"347538efbdc21b8df684ebd92d37400b3ce85d55"}]}],"versions":["libpng-1.6.10-signed","libpng-1.6.11-signed","libpng-1.6.12-signed","libpng-1.6.13-signed","libpng-1.6.14-signed","libpng-1.6.15-signed","libpng-1.6.16-signed","libpng-1.6.17-signed","libpng-1.6.18-signed","libpng-1.6.2-signed","libpng-1.6.20-signed","libpng-1.6.21-signed","libpng-1.6.23-signed","libpng-1.6.24-signed","libpng-1.6.25-signed","libpng-1.6.26-signed","libpng-1.6.29-signed","libpng-1.6.3-signed","libpng-1.6.30-master-signed","libpng-1.6.30-signed","libpng-1.6.31-master-signed","libpng-1.6.31-signed","libpng-1.6.4-signed","libpng-1.6.7-signed","libpng-1.6.8-signed","libpng-1.6.9-signed","v0.71","v0.81","v0.82","v0.85","v0.86","v0.87","v0.88","v0.89","v0.89c","v0.90","v0.96","v0.97","v0.97a","v0.97c","v0.98","v0.99","v0.99a","v0.99c","v0.99d","v0.99e","v0.99i","v0.99j","v0.99k","v0.99m","v0.99n","v0.99p","v1.0.0","v1.0.0a","v1.0.0b","v1.0.1","v1.0.10","v1.0.10beta1","v1.0.10rc1","v1.0.11","v1.0.11beta1","v1.0.11beta2","v1.0.11beta3","v1.0.11rc1","v1.0.12beta1","v1.0.1a","v1.0.1b","v1.0.1c","v1.0.1d","v1.0.1e","v1.0.2","v1.0.2a","v1.0.2b","v1.0.3","v1.0.4","v1.0.4-pre1","v1.0.4-pre2","v1.0.4-pre3","v1.0.4c","v1.0.4d","v1.0.4d2","v1.0.4e","v1.0.4f","v1.0.5","v1.0.5-pre1","v1.0.5a","v1.0.5c","v1.0.5d","v1.0.5h","v1.0.5q","v1.0.5s","v1.0.6","v1.0.6a","v1.0.6d","v1.0.6e","v1.0.6f","v1.0.6g","v1.0.6h","v1.0.6i","v1.0.6j","v1.0.7","v1.0.7beta11","v1.0.7beta12","v1.0.7beta13","v1.0.7beta14","v1.0.7beta15","v1.0.7beta16","v1.0.7beta17","v1.0.7beta18","v1.0.7rc1","v1.0.7rc2","v1.0.8","v1.0.8beta1","v1.0.8beta2","v1.0.8beta3","v1.0.8beta4","v1.0.8rc1","v1.0.9","v1.0.9beta1","v1.0.9beta10","v1.0.9beta2","v1.0.9beta3","v1.0.9beta4","v1.0.9beta5","v1.0.9beta6","v1.0.9beta7","v1.0.9beta8","v1.0.9beta9","v1.0.9rc1","v1.0.9rc2","v1.00","v1.2.0","v1.2.0beta1","v1.2.0beta2","v1.2.0beta3","v1.2.0beta4","v1.2.0beta5","v1.2.0rc1","v1.2.1","v1.2.10beta1","v1.2.10beta2","v1.2.10beta3","v1.2.10beta4","v1.2.10beta5","v1.2.10beta6","v1.2.10beta7","v1.2.10rc1","v1.2.1beta1","v1.2.1beta2","v1.2.1beta3","v1.2.1beta4","v1.2.1rc1","v1.2.1rc2","v1.2.2","v1.2.2beta1","v1.2.2beta2","v1.2.2beta3","v1.2.2beta4","v1.2.2beta5","v1.2.2beta6","v1.2.2rc1","v1.2.3","v1.2.3rc1","v1.2.3rc2","v1.2.3rc3","v1.2.3rc4","v1.2.3rc5","v1.2.3rc6","v1.2.4","v1.2.4beta1","v1.2.4beta2","v1.2.4beta3","v1.2.4rc1","v1.2.5","v1.2.5beta1","v1.2.5beta2","v1.2.5rc1","v1.2.5rc2","v1.2.5rc3","v1.2.6","v1.2.6beta1","v1.2.6beta2","v1.2.6beta3","v1.2.6beta4","v1.2.6rc1","v1.2.6rc2","v1.2.6rc3","v1.2.6rc4","v1.2.6rc5","v1.2.7","v1.2.7beta1","v1.2.7beta2","v1.2.7rc1","v1.2.8","v1.2.8beta1","v1.2.8beta2","v1.2.8beta3","v1.2.8beta4","v1.2.8beta5","v1.2.8rc1","v1.2.8rc2","v1.2.8rc3","v1.2.8rc4","v1.2.8rc5","v1.2.9","v1.2.9beta1","v1.2.9beta10","v1.2.9beta11","v1.2.9beta2","v1.2.9beta3","v1.2.9beta4","v1.2.9beta5","v1.2.9beta6","v1.2.9beta7","v1.2.9beta8","v1.2.9beta9","v1.2.9rc1","v1.4.0beta1","v1.4.0beta10","v1.4.0beta100","v1.4.0beta101","v1.4.0beta102","v1.4.0beta104","v1.4.0beta105","v1.4.0beta106","v1.4.0beta107","v1.4.0beta108","v1.4.0beta109","v1.4.0beta11","v1.4.0beta12","v1.4.0beta13","v1.4.0beta14","v1.4.0beta15","v1.4.0beta16","v1.4.0beta17","v1.4.0beta18","v1.4.0beta19","v1.4.0beta2","v1.4.0beta20","v1.4.0beta21","v1.4.0beta22","v1.4.0beta23","v1.4.0beta24","v1.4.0beta25","v1.4.0beta26","v1.4.0beta27","v1.4.0beta28","v1.4.0beta29","v1.4.0beta3","v1.4.0beta30","v1.4.0beta31","v1.4.0beta32","v1.4.0beta33","v1.4.0beta34","v1.4.0beta35","v1.4.0beta36","v1.4.0beta37","v1.4.0beta38","v1.4.0beta39","v1.4.0beta4","v1.4.0beta40","v1.4.0beta41","v1.4.0beta42","v1.4.0beta43","v1.4.0beta44","v1.4.0beta45","v1.4.0beta46","v1.4.0beta47","v1.4.0beta48","v1.4.0beta49","v1.4.0beta5","v1.4.0beta50","v1.4.0beta51","v1.4.0beta52","v1.4.0beta53","v1.4.0beta54","v1.4.0beta55","v1.4.0beta56","v1.4.0beta57","v1.4.0beta58","v1.4.0beta6","v1.4.0beta60","v1.4.0beta61","v1.4.0beta62","v1.4.0beta63","v1.4.0beta64","v1.4.0beta65","v1.4.0beta66","v1.4.0beta67","v1.4.0beta68","v1.4.0beta69","v1.4.0beta7","v1.4.0beta70","v1.4.0beta71","v1.4.0beta73","v1.4.0beta75","v1.4.0beta76","v1.4.0beta77","v1.4.0beta78","v1.4.0beta79","v1.4.0beta8","v1.4.0beta80","v1.4.0beta81","v1.4.0beta82","v1.4.0beta83","v1.4.0beta84","v1.4.0beta85","v1.4.0beta86","v1.4.0beta87","v1.4.0beta89","v1.4.0beta9","v1.4.0beta90","v1.4.0beta91","v1.4.0beta92","v1.4.0beta93","v1.4.0beta94","v1.4.0beta95","v1.4.0beta96","v1.4.0beta98","v1.4.0beta99","v1.4.0rc03","v1.4.0rc04","v1.4.0rc05","v1.4.0rc06","v1.4.0rc07","v1.4.0rc08","v1.5.0","v1.5.0beta01","v1.5.0beta02","v1.5.0beta03","v1.5.0beta04","v1.5.0beta05","v1.5.0beta06","v1.5.0beta07","v1.5.0beta08","v1.5.0beta09","v1.5.0beta11","v1.5.0beta12","v1.5.0beta13","v1.5.0beta14","v1.5.0beta15","v1.5.0beta16","v1.5.0beta17","v1.5.0beta18","v1.5.0beta19","v1.5.0beta20","v1.5.0beta21","v1.5.0beta22","v1.5.0beta23","v1.5.0beta24","v1.5.0beta25","v1.5.0beta26","v1.5.0beta27","v1.5.0beta28","v1.5.0beta29","v1.5.0beta30","v1.5.0beta31","v1.5.0beta32","v1.5.0beta33","v1.5.0beta34","v1.5.0beta35","v1.5.0beta36","v1.5.0beta37","v1.5.0beta38","v1.5.0beta39","v1.5.0beta40","v1.5.0beta41","v1.5.0beta42","v1.5.0beta43","v1.5.0beta44","v1.5.0beta45","v1.5.0beta46","v1.5.0beta47","v1.5.0beta48","v1.5.0beta49","v1.5.0beta50","v1.5.0beta51","v1.5.0beta52","v1.5.0beta53","v1.5.0beta54","v1.5.0beta55","v1.5.0beta56","v1.5.0beta57","v1.5.0beta58","v1.5.0rc01","v1.5.0rc02","v1.5.0rc03","v1.5.0rc05","v1.5.0rc06","v1.5.1","v1.5.1beta01","v1.5.1beta02","v1.5.1beta03","v1.5.1beta04","v1.5.1beta05","v1.5.1beta06","v1.5.1beta07","v1.5.1beta08","v1.5.1beta09","v1.5.1beta10","v1.5.1beta11","v1.5.1rc01","v1.5.1rc02","v1.5.2","v1.5.2beta01","v1.5.2beta02","v1.5.2beta03","v1.5.2rc01","v1.5.2rc02","v1.5.2rc03","v1.5.3beta01","v1.5.3beta02","v1.5.3beta03","v1.5.3beta05","v1.5.3beta06","v1.5.3beta07","v1.5.3beta08","v1.5.3beta09","v1.5.3beta10","v1.5.3beta11","v1.5.3rc01","v1.5.3rc02","v1.5.4","v1.5.4beta01","v1.5.4beta02","v1.5.4beta03","v1.5.4beta04","v1.5.4beta05","v1.5.4beta06","v1.5.4beta07","v1.5.4beta08","v1.5.4rc01","v1.5.5","v1.5.5beta01","v1.5.5beta02","v1.5.5beta03","v1.5.5beta04","v1.5.5beta05","v1.5.5beta06","v1.5.5beta07","v1.5.5beta08","v1.5.5rc01","v1.5.6","v1.5.6beta01","v1.5.6beta02","v1.5.6beta03","v1.5.6beta04","v1.5.6beta05","v1.5.6beta06","v1.5.6beta07","v1.5.6rc01","v1.5.6rc02","v1.5.6rc03","v1.5.7beta01","v1.5.7beta02","v1.5.7beta03","v1.5.7beta04","v1.6.0","v1.6.0beta01","v1.6.0beta02","v1.6.0beta03","v1.6.0beta04","v1.6.0beta05","v1.6.0beta06","v1.6.0beta07","v1.6.0beta08","v1.6.0beta09","v1.6.0beta10","v1.6.0beta11","v1.6.0beta12","v1.6.0beta13","v1.6.0beta14","v1.6.0beta15","v1.6.0beta16","v1.6.0beta17","v1.6.0beta18","v1.6.0beta19","v1.6.0beta21","v1.6.0beta22","v1.6.0beta23","v1.6.0beta24","v1.6.0beta25","v1.6.0beta26","v1.6.0beta27","v1.6.0beta28","v1.6.0beta29","v1.6.0beta30","v1.6.0beta31","v1.6.0beta32","v1.6.0beta33","v1.6.0beta34","v1.6.0beta35","v1.6.0beta36","v1.6.0beta37","v1.6.0beta38","v1.6.0beta39","v1.6.0beta40","v1.6.0rc01","v1.6.0rc02","v1.6.0rc03","v1.6.0rc04","v1.6.0rc05","v1.6.0rc06","v1.6.0rc07","v1.6.0rc08","v1.6.1","v1.6.10","v1.6.10beta01","v1.6.10beta02","v1.6.10rc01","v1.6.10rc02","v1.6.10rc03","v1.6.11","v1.6.11beta01","v1.6.11beta02","v1.6.11beta03","v1.6.11beta04","v1.6.11beta05","v1.6.11beta06","v1.6.11rc01","v1.6.11rc02","v1.6.12","v1.6.12rc01","v1.6.12rc02","v1.6.12rc03","v1.6.13","v1.6.13beta01","v1.6.13beta02","v1.6.13beta03","v1.6.13beta04","v1.6.13rc01","v1.6.14","v1.6.14beta01","v1.6.14beta02","v1.6.14beta03","v1.6.14beta04","v1.6.14beta05","v1.6.14beta06","v1.6.14beta07","v1.6.14rc01","v1.6.14rc02","v1.6.15","v1.6.15beta01","v1.6.15beta02","v1.6.15beta03","v1.6.15beta04","v1.6.15beta05","v1.6.15beta06","v1.6.15beta07","v1.6.15beta08","v1.6.15rc01","v1.6.15rc02","v1.6.15rc03","v1.6.16","v1.6.16beta01","v1.6.16beta02","v1.6.16beta03","v1.6.16rc01","v1.6.16rc02","v1.6.16rc03","v1.6.17","v1.6.17beta01","v1.6.17beta02","v1.6.17beta03","v1.6.17beta04","v1.6.17beta05","v1.6.17rc01","v1.6.17rc02","v1.6.17rc03","v1.6.17rc04","v1.6.17rc05","v1.6.17rc06","v1.6.18","v1.6.18beta01","v1.6.18beta02","v1.6.18beta03","v1.6.18beta04","v1.6.18beta05","v1.6.18beta06","v1.6.18beta07","v1.6.18beta08","v1.6.18beta09","v1.6.18rc01","v1.6.18rc02","v1.6.18rc03","v1.6.19","v1.6.19beta01","v1.6.19beta02","v1.6.19beta03","v1.6.19beta04","v1.6.19rc01","v1.6.19rc02","v1.6.19rc03","v1.6.19rc04","v1.6.1beta01","v1.6.1beta02","v1.6.1beta03","v1.6.1beta04","v1.6.1beta05","v1.6.1beta06","v1.6.1beta07","v1.6.1beta08","v1.6.1beta09","v1.6.1rc01","v1.6.2","v1.6.20beta01","v1.6.20beta02","v1.6.20beta03","v1.6.20rc01","v1.6.20rc02","v1.6.21","v1.6.21beta01","v1.6.21beta02","v1.6.21beta03","v1.6.21rc01","v1.6.21rc02","v1.6.22","v1.6.22beta01","v1.6.22beta02","v1.6.22beta03","v1.6.22beta04","v1.6.22beta05","v1.6.22beta06","v1.6.22rc01","v1.6.22rc02","v1.6.22rc03","v1.6.23","v1.6.23beta01","v1.6.23rc01","v1.6.23rc02","v1.6.24","v1.6.24beta01","v1.6.24beta02","v1.6.24beta03","v1.6.24beta04","v1.6.24beta05","v1.6.24beta06","v1.6.24rc01","v1.6.24rc02","v1.6.24rc03","v1.6.25","v1.6.25beta02","v1.6.25rc03","v1.6.25rc04","v1.6.26","v1.6.26beta01","v1.6.26beta02","v1.6.26beta03","v1.6.26beta04","v1.6.26beta05","v1.6.26beta06","v1.6.26rc01","v1.6.27","v1.6.27beta01","v1.6.27rc01","v1.6.28","v1.6.28rc01","v1.6.28rc02","v1.6.28rc03","v1.6.29","v1.6.29beta01","v1.6.29beta02","v1.6.29beta03","v1.6.29rc01","v1.6.2beta01","v1.6.2beta02","v1.6.2rc01","v1.6.2rc02","v1.6.2rc03","v1.6.2rc04","v1.6.2rc05","v1.6.2rc06","v1.6.3","v1.6.30","v1.6.30beta01","v1.6.30beta02","v1.6.30beta03","v1.6.30beta04","v1.6.30rc01","v1.6.31","v1.6.31beta01","v1.6.31beta02","v1.6.31beta03","v1.6.31beta04","v1.6.31beta05","v1.6.31beta06","v1.6.31beta07","v1.6.31rc01","v1.6.31rc02","v1.6.32beta01","v1.6.32beta02","v1.6.32beta03","v1.6.32beta05","v1.6.32beta06","v1.6.32beta07","v1.6.32beta08","v1.6.32beta09","v1.6.32beta10","v1.6.32beta11","v1.6.32rc01","v1.6.32rc02","v1.6.3beta01","v1.6.3beta02","v1.6.3beta03","v1.6.3beta04","v1.6.3beta05","v1.6.3beta06","v1.6.3beta07","v1.6.3beta08","v1.6.3beta09","v1.6.3beta10","v1.6.3rc01","v1.6.4","v1.6.4beta02","v1.6.4rc01","v1.6.5","v1.6.6","v1.6.7","v1.6.7beta01","v1.6.7beta02","v1.6.7beta03","v1.6.7beta04","v1.6.7rc01","v1.6.7rc02","v1.6.8","v1.6.8beta01","v1.6.8beta02","v1.6.8rc02","v1.6.9","v1.6.9beta01","v1.6.9beta02","v1.6.9beta03","v1.6.9rc01","v1.6.9rc02"],"database_specific":{"vanir_signatures":[{"digest":{"length":595,"function_hash":"220617196658382277969629707551327307163"},"deprecated":false,"signature_type":"Function","target":{"function":"png_read_chunk_header","file":"pngrutil.c"},"source":"https://github.com/pnggroup/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55","id":"CVE-2017-12652-2063d2b3","signature_version":"v1"},{"digest":{"length":701,"function_hash":"321243645164949362734223223326571417411"},"deprecated":false,"signature_type":"Function","target":{"function":"png_get_copyright","file":"png.c"},"source":"https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363","id":"CVE-2017-12652-2e72d456","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["70841776614568275697156037000077820510","311830874481362638713482939715761376903","152655163359775584842543908644023560646"]},"deprecated":false,"signature_type":"Line","target":{"file":"pngrutil.c"},"source":"https://github.com/pnggroup/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55","id":"CVE-2017-12652-3273aec1","signature_version":"v1"},{"digest":{"length":4418,"function_hash":"66915345587845022605725109661872264623"},"deprecated":false,"signature_type":"Function","target":{"function":"png_push_read_chunk","file":"pngpread.c"},"source":"https://github.com/pnggroup/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55","id":"CVE-2017-12652-3e72406e","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["156096222207606892409097036230274271614"]},"deprecated":false,"signature_type":"Line","target":{"file":"scripts/def.c"},"source":"https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363","id":"CVE-2017-12652-6f2c80eb","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["103641275533327891742404614660718038032","271143897051010054212464945345969092213"]},"deprecated":false,"signature_type":"Line","target":{"file":"pngtest.c"},"source":"https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363","id":"CVE-2017-12652-ae859b89","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["166375070723291529406421301066248769034","275647010778297936193963675511576832388","256826767335212246520616614652191899280","279336807821086835335477021495116274772","232553263840887526940445566239193742547","321322115793091064233440181206811421137","323552466813114586079008333209838520779","300030530416012691729079676676498442978"]},"deprecated":false,"signature_type":"Line","target":{"file":"png.h"},"source":"https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363","id":"CVE-2017-12652-c5388709","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["291172681311936543452919953550618310022","250674858440680139373891068715663130286","221801185142243840488717981785402640645","239949336393341476172637021320931282744","99450591993684622810251403669010929588","294119101941747485427512800103613317330","224584778708134352092963753103576720243","49707240273346183902828160227258670924","136955984917707785624811019298884841478","266414924338399166079106214687877099441","154003624319932963894097861280013836461","273359500251677714011861558135970490822","312337992988782757618391295584407989224"]},"deprecated":false,"signature_type":"Line","target":{"file":"png.c"},"source":"https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363","id":"CVE-2017-12652-f73b433b","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12652.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}