Bug 1776981 (CVE-2019-17371)

Summary: CVE-2019-17371 libpng: memory leaks in png_malloc_warn and png_create_info_struct
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: drizt72, erik-fedora, ktietz, manisandro, nforro, paul, phracek, rdieter, rh-spice-bugs, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-04 05:38:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1776982, 1776983, 1776985, 1776986, 1776987, 1776988, 1776989    
Bug Blocks: 1776984    

Description Guilherme de Almeida Suckevicz 2019-11-26 16:45:26 UTC 
libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_struct. NOTE: This has been argued as being found in gif2png and not libpng.

Reference:
https://github.com/glennrp/libpng/issues/307
https://github.com/glennrp/libpng/issues/307#issuecomment-544779431
Comment 1 Guilherme de Almeida Suckevicz 2019-11-26 16:45:59 UTC 
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1776982]


Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1776983]
Affects: fedora-all [bug 1776988]


Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1776986]


Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1776987]


Created mingw-libpng tracking bugs for this issue:

Affects: epel-7 [bug 1776985]
Affects: fedora-all [bug 1776989]
Comment 2 Paul Howarth 2019-11-27 08:42:59 UTC 
This is a problem with gif2png, not libpng.

https://github.com/glennrp/libpng/issues/307#issuecomment-544779431

It affects gif2png versions written in C, i.e. before version 3.0 which is a re-write in the Go language.

https://gitlab.com/esr/gif2png/issues/8

There is a patch included in the libpng issue that fixes gif2png.
Comment 3 Paul Howarth 2019-11-27 08:46:18 UTC 
I'm going to close the libpng10 bugs. I'd suggest adding tracker bugs on the gif2png package instead.
Comment 4 Huzaifa S. Sidhpurwala 2019-12-04 05:38:00 UTC 
Firstly, the bug exists in gif2png, which is not shipped with any Red Hat Products, secondly Red Hat Product Security does not consider memory leak as a security flaw, unless it can cause application crash due to OOM. Therefore closing this bug as NOTABUG.