Bug 1667127 (CVE-2019-6129)

Summary: CVE-2019-6129 libpng: memory leak of png_info struct in pngcp.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dbaker, dmoppert, drizt72, erik-fedora, jokerman, ktietz, nforro, paul, phracek, rdieter, rh-spice-bugs, rjones, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A memory leak was found in the pngcp.c utility of libpng. The pngcp utility fails to free the png_info structure allocated by png_create_info_struct before exiting.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:46:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1667152, 1667153, 1667154, 1667155, 1667156, 1667157, 1667158    
Bug Blocks: 1667132    

Description Dhananjay Arunesh 2019-01-17 14:20:19 UTC 
There is a memory leak in the pngcp.c in libpng 1.6.36.  A call to function png_create_info_struct is not paired with a call to png_destroy_info_struct.


Upstream Issue:
https://github.com/glennrp/libpng/issues/269
Comment 1 Laura Pardo 2019-01-17 15:13:44 UTC 
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1667152]


Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1667157]
Affects: fedora-all [bug 1667154]


Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1667155]


Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1667156]


Created mingw-libpng tracking bugs for this issue:

Affects: epel-7 [bug 1667158]
Affects: fedora-all [bug 1667153]
Comment 2 Doran Moppert 2019-01-23 06:27:40 UTC 
This CVE is for contrib/pngcp failing to free a single struct before exiting.  This is not a security issue.  I expect the discussion on upstream issue tracker will lead to this CVE being rejected.
Comment 3 Paul Howarth 2019-01-23 09:40:51 UTC 
It's also worth noting that pngcp.c was only shipped with libpng from version 1.6.24 onwards, so older versions did not have this code, let alone build and package it.