Bug 1608073 (CVE-2018-14048)

Summary: CVE-2018-14048 libpng: Segmentation fault in png.c:png_free_data function causing denial of service
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, dblechte, dfediuck, drizt72, eedri, erik-fedora, ktietz, mgoldboi, michal.skrivanek, nforro, paul, phracek, rdieter, rjones, sbonazzo, sherold, tgl, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-19 10:19:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1608074, 1608075, 1608076, 1608077, 1608078, 1608079, 1608080, 1608082, 1608846, 1910600    
Bug Blocks: 1608081    

Description Laura Pardo 2018-07-24 23:01:01 UTC 
An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.


References:
https://github.com/glennrp/libpng/issues/238
https://github.com/fouzhe/security/tree/master/libpng
Comment 1 Laura Pardo 2018-07-24 23:02:19 UTC 
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1608074]


Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1608082]
Affects: fedora-all [bug 1608075]


Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1608076]


Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1608077]


Created mingw-libpng tracking bugs for this issue:

Affects: epel-7 [bug 1608080]
Affects: fedora-all [bug 1608078]
Comment 4 Adam Mariš 2018-08-01 07:53:09 UTC 
Statement:

This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include the vulnerable code.
Comment 5 Adam Mariš 2018-10-19 10:16:54 UTC 
This seems to be an intersection bug - the way pngwriter uses libpng can cause a segmentation fault. Using libpng alone, the issue has not been observed. We do not ship pngwriter in any Red Hat product.
Comment 7 Nikola Forró 2021-07-15 10:07:28 UTC 
Closing as per comment 5.
Comment 8 Nikola Forró 2021-07-15 10:08:43 UTC 
Sorry, my bad, disregard the previous comment.
Comment 9 juneau 2023-07-25 16:55:41 UTC 
rhel9 notaffected per https://github.com/glennrp/libpng/issues/238#issuecomment-483107600:

The fix is in the master branch and in the public release libpng-1.6.37.