Bug 1599943 (CVE-2018-13785)

Summary:	CVE-2018-13785 libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service
Product:	[Other] Security Response	Reporter:	Sam Fowler <sfowler>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	bmcclain, dblechte, dfediuck, drizt72, eedri, erik-fedora, ktietz, mgoldboi, michal.skrivanek, nforro, paul, phracek, rdieter, rjones, sbonazzo, sherold, tgl
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-10 10:32:23 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1599944, 1599945, 1599946, 1599947, 1599948, 1599949, 1599950, 1599951, 1599952, 1639731, 1639732, 1639733, 1639734, 1639736, 1639737, 1640178, 1640179, 1640180, 1646173, 1646174, 1646175, 1649854, 1649855, 1649856, 1652120, 1652121, 1652122
Bug Blocks:	1599953

Description Sam Fowler 2018-07-11 01:31:49 UTC

libpng through version 1.6.34 is vulnerable to an integer overflow and resultant divide-by-zero in the pngrutil.c:png_check_chunk_length() function. An attacker could exploit this to cause a denial of service via crafted PNG file.


Upstream Bug:

https://sourceforge.net/p/libpng/bugs/278/


Upstream Patch:

https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2

Comment 1 Sam Fowler 2018-07-11 01:33:10 UTC

Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1599944]


Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1599950]
Affects: fedora-all [bug 1599945]


Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1599946]


Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1599947]


Created mingw-libpng tracking bugs for this issue:

Affects: epel-7 [bug 1599949]
Affects: fedora-all [bug 1599948]

Comment 2 Sam Fowler 2018-07-11 01:33:36 UTC

The affected code was moved into pngrutil.c:png_check_chunk_length() in the below commit:

https://github.com/glennrp/libpng/commit/2dca15686fadb1b8951cb29b02bad4cae73448da

Comment 6 Scott Gayou 2018-07-16 21:07:01 UTC

This does not appear to be reproducible on RHEL 7. The target calculation in png_check_chunk_length is not in the RHEL7 version.

Comment 7 errata-xmlrpc 2018-10-24 21:38:44 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3007 https://access.redhat.com/errata/RHSA-2018:3007

Comment 8 errata-xmlrpc 2018-10-24 21:40:03 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3008 https://access.redhat.com/errata/RHSA-2018:3008

Comment 9 errata-xmlrpc 2018-10-24 22:05:30 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000

Comment 10 errata-xmlrpc 2018-10-24 22:06:05 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001

Comment 11 errata-xmlrpc 2018-10-24 22:06:35 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002

Comment 12 errata-xmlrpc 2018-10-24 22:07:21 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003

Comment 13 errata-xmlrpc 2018-11-09 11:48:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533

Comment 14 errata-xmlrpc 2018-11-09 11:49:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534

Comment 16 errata-xmlrpc 2018-11-26 15:42:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671

Comment 17 errata-xmlrpc 2018-11-26 15:43:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672

Comment 18 errata-xmlrpc 2018-12-05 15:52:54 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779

Comment 19 errata-xmlrpc 2018-12-18 15:50:50 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852