Bug 1409617 (CVE-2016-10087)

Summary: CVE-2016-10087 libpng: NULL pointer dereference in png_set_text_2()
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, cfergeau, cwarfiel, dblechte, drizt72, eedri, erik-fedora, ktietz, lsurette, mgoldboi, michal.skrivanek, nforro, paul, phracek, rbalakri, rbu, rdieter, rh-spice-bugs, rjones, sardella, sbonazzo, sherold, slawomir, srevivo, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libpng 1.6.27, libpng 1.5.28, libpng 1.4.20, libpng 1.2.57, libpng 1.0.67 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-10 09:06:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1409619, 1409620, 1409621, 1409622, 1409623, 1409624, 1409625    
Bug Blocks:    

Description Andrej Nemec 2017-01-02 16:05:19 UTC 
A null pointer dereference vulnerability was found in libpng, affecting all versions since 0.71. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure.

References:

http://seclists.org/oss-sec/2016/q4/777
http://www.libpng.org/pub/png/libpng.html
Comment 1 Andrej Nemec 2017-01-02 16:09:30 UTC 
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1409619]
Comment 2 Andrej Nemec 2017-01-02 16:09:50 UTC 
Created libpng10 tracking bugs for this issue:

Affects: fedora-all [bug 1409620]
Affects: epel-6 [bug 1409624]
Comment 3 Andrej Nemec 2017-01-02 16:10:02 UTC 
Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1409621]
Comment 4 Andrej Nemec 2017-01-02 16:10:18 UTC 
Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1409622]
Comment 5 Andrej Nemec 2017-01-02 16:10:34 UTC 
Created mingw-libpng tracking bugs for this issue:

Affects: fedora-all [bug 1409623]
Affects: epel-7 [bug 1409625]
Comment 6 Robert Buchholz 2017-01-04 09:12:02 UTC 
(In reply to Andrej Nemec from comment #1)
> Created libpng tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1409619]

It seems this issue is missing a bug for libpng in RHEL 5/6/7 for the "libpng" package. Currently it is only tracked for "libpng10" in EPEL6/7.
Comment 7 Andrej Nemec 2017-01-04 09:25:04 UTC 
(In reply to Robert Buchholz from comment #6)
> (In reply to Andrej Nemec from comment #1)
> > Created libpng tracking bugs for this issue:
> > 
> > Affects: fedora-all [bug 1409619]
> 
> It seems this issue is missing a bug for libpng in RHEL 5/6/7 for the
> "libpng" package. Currently it is only tracked for "libpng10" in EPEL6/7.

Hello Robert, this was triaged and classified as a low impact vulnerability and we will not be fixing it in RHEL systems. You may consult the page below for more information:

https://access.redhat.com/security/updates/classification
Comment 8 Tomas Hoger 2017-07-10 09:11:09 UTC 
Upstream commit:

https://github.com/glennrp/libpng/commit/812768d7a9c973452222d454634496b25ed415eb