Bug 1281756 (CVE-2015-8126, CVE-2015-8472)
Summary: | CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, drizt72, erik-fedora, fedora-mingw, ktietz, paul, phracek, rdieter, rjones, sardella, scorneli, slawomir |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:45:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1281757, 1281758, 1281759, 1281760, 1282039, 1282901, 1282902, 1283572, 1283573, 1283574, 1283575, 1283576, 1283577 | ||
Bug Blocks: | 1281763, 1295699 |
Description
Adam Mariš
2015-11-13 11:54:40 UTC
Created libpng tracking bugs for this issue: Affects: fedora-all [bug 1281757] Created libpng10 tracking bugs for this issue: Affects: epel-6 [bug 1281759] Created mingw-libpng tracking bugs for this issue: Affects: fedora-all [bug 1281758] Affects: epel-7 [bug 1281760] (In reply to Adam Mariš from comment #2) > Created libpng10 tracking bugs for this issue: > > Affects: epel-6 [bug 1281759] It affects fedora-all too. I'll edit the existing updates for 1.0.64 when a suitable tracking bug is generated. Besides libpng, all those compat packages need to be updated, too: libpng10, libpng12, libpng15 Please do so ASAP. This needs another patch: https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324.patch Or there will be CRC issues. I'll also add this to the list of patches in comment #0. Created libpng12 tracking bugs for this issue: Affects: fedora-all [bug 1282901] Created libpng15 tracking bugs for this issue: Affects: fedora-all [bug 1282902] libpng-1.6.17-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.64-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.64-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.64-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Our CVSSv2 score may be different from what other sources suggest. That's because we don't think that other CVSSv2 score give an appropriate approximation of the real-life impact of this issue. In order to be vulnerable, an application needs to calculate the exact minimum buffer space for the palette according to the image's bit depth and then has to interact with libpng in a way that would copy the palette into the buffer the application has reserved. This is an extra-effort step most applications do not take, for simplicity reasons. Instead, for example, a lot of applications use the maximum size the palette can possibly have, regardless of the image's bit depth. In such a case, the application would not be vulnerable, even when using a vulnerable libpng version. mingw-libpng-1.6.19-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. mingw-libpng-1.6.19-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. mingw-libpng-1.6.19-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.64-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. CVE-2015-8472 was assigned after it was discovered that initial patch was incomplete. libpng and libpng12 as shipped in RHEL 6 and 7 are not affected by this CVE, since we've already applied complete patch to fix the original issue. http://seclists.org/oss-sec/2015/q4/439 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:2594 https://rhn.redhat.com/errata/RHSA-2015-2594.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2596 https://rhn.redhat.com/errata/RHSA-2015-2596.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2595 https://rhn.redhat.com/errata/RHSA-2015-2595.html libpng10-1.0.65-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.65-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. libpng12-1.2.56-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. libpng12-1.2.56-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. libpng10-1.0.66-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. libpng15-1.5.25-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. libpng15-1.5.25-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. libpng-1.6.17-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. OpenJDK 8 upstream commits: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/817a472b15bd http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/23a6e0931277 Note that the first commit actually downgraded bundled libpng from 1.6.16 to 1.5.4, and only the second one upgraded it again to 1.6.20 which includes fixes for CVE-2015-8126 and CVE-2015-8472. This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0057 https://rhn.redhat.com/errata/RHSA-2016-0057.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0056 https://rhn.redhat.com/errata/RHSA-2016-0056.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0055 https://rhn.redhat.com/errata/RHSA-2016-0055.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2016:0098 https://rhn.redhat.com/errata/RHSA-2016-0098.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430 |