My game is subject to be suspended from Facebook APIs due to security vulnerability for using outdated version of libpng.
This game is out for years, and depends heavily on Facebook social features. So I cannot just skip Facebook.
so seems libpng 1.256 is used at lib/x86/libcorona.so,
and it should be updated to version 1.6.20,
Details:
Risk: High , Priority: P0
The application is using an outdated component with publicly known vulnerabilities. Exploitation of this issue varies
from easily accessible off the shelf exploit to requiring custom exploit.
Dependency libpng
: libpng is the official Portable Network Graphics (PNG) reference library (originally called pnglib). It is a platform-independent library that contains C functions for handling PNG images. It supports almost all of PNG’s features, is extensible, and has been widely used and tested for over 23 years. libpng is dependent on zlib for data compression and decompression routines. libpng is released under the libpng license, a permissive free software licence, and is free software. It is frequently used in both free and proprietary software, either directly or through the use of a higher level image library. As of 2017 the latest versions in the 1.6.x and 1.5.x branches were considered as release versions, while 1.4.x, 1.2.x, and 1.0.x were considered as legacy versions getting only security fixes. All vulnerability warnings and crash bugs are published on the main page.
Dependency libpng
version 1.2.56
was detected at lib/x86/libcorona.so
and suffers from the following vulnerabilities:
-
CVE-2013-7354
: Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow. -
CVE-2014-9495
: Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a “very wide interlaced” PNG image. -
CVE-2015-0973
: Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495. -
CVE-2016-3751
: Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085. -
CVE-2017-12652
: libpng before 1.6.32 does not properly check the length of chunks against the user limit. -
CVE-2016-10087
: The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure. -
CVE-2013-6954
: The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c. -
CVE-2013-7353
: Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow. -
CVE-2011-3045
: Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.