Bug 1382656

Summary: libpng: Out of bounds write in png_write_row
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anemec, bmcclain, cfergeau, dblechte, dmoppert, drizt72, eedri, erik-fedora, gklein, ktietz, lsurette, mgoldboi, michal.skrivanek, nforro, paul, phracek, rbalakri, rh-spice-bugs, rjones, sardella, sherold, slawomir, srevivo, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-13 10:17:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1312337, 1382657, 1382658, 1382659, 1382660, 1382661, 1382662, 1382663    
Bug Blocks: 1382664    

Description Adam Mariš 2016-10-07 10:28:52 UTC 
An OOB write vulnerability was found in png_write_row in libpng caused by librsvg and cairo triggered by specially crafted SVG file.

It's not yet known if the actual bug lies in libpng, or cairo or librsvg.

Published via:

http://seclists.org/oss-sec/2016/q4/44
Comment 1 Adam Mariš 2016-10-07 10:30:44 UTC 
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1382657]
Comment 2 Adam Mariš 2016-10-07 10:31:03 UTC 
Created libpng10 tracking bugs for this issue:

Affects: fedora-all [bug 1382658]
Affects: fedora-all [bug 1382659]
Affects: epel-6 [bug 1382662]
Comment 3 Adam Mariš 2016-10-07 10:31:20 UTC 
Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1382660]
Comment 4 Adam Mariš 2016-10-07 10:31:36 UTC 
Created mingw-libpng tracking bugs for this issue:

Affects: fedora-all [bug 1382661]
Affects: epel-7 [bug 1382663]
Comment 5 Doran Moppert 2016-10-10 06:06:39 UTC 
This is bug 1312341.  Adam, I think this should be closed as a dup - can you confirm?  Perhaps check with Stefan?
Comment 6 Adam Mariš 2016-10-10 07:49:06 UTC 
(In reply to Doran Moppert from comment #5)
> This is bug 1312341.  Adam, I think this should be closed as a dup - can you
> confirm?  Perhaps check with Stefan?

Thanks for noticing! It looks pretty much it, I asked reporter to confirm.
Comment 7 Adam Mariš 2016-10-13 10:17:21 UTC 

*** This bug has been marked as a duplicate of bug 1312337 ***