Bug 1281756 - (CVE-2015-8126, CVE-2015-8472) CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions
CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_ge...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151112,repor...
: Security
Depends On: 1281757 1281758 1281759 1281760 1282039 1282901 1282902 1283572 1283573 1283574 1283575 1283576 1283577
Blocks: 1281763 1295699
  Show dependency treegraph
 
Reported: 2015-11-13 06:54 EST by Adam Mariš
Modified: 2017-08-24 14:36 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-11-13 06:54:40 EST
Buffer overflow vulnerabilities in functions png_get_PLTE/png_set_PLTE, allowing remote attackers to cause DoS to application or have unspecified other impact. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8.

Affected versions of libpng are before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19.

Upstream patches:

https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324

CVE assignment:

http://seclists.org/oss-sec/2015/q4/264
Comment 1 Adam Mariš 2015-11-13 06:55:48 EST
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1281757]
Comment 2 Adam Mariš 2015-11-13 06:55:56 EST
Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1281759]
Comment 3 Adam Mariš 2015-11-13 06:56:03 EST
Created mingw-libpng tracking bugs for this issue:

Affects: fedora-all [bug 1281758]
Affects: epel-7 [bug 1281760]
Comment 4 Paul Howarth 2015-11-13 07:11:48 EST
(In reply to Adam Mariš from comment #2)
> Created libpng10 tracking bugs for this issue:
> 
> Affects: epel-6 [bug 1281759]

It affects fedora-all too. I'll edit the existing updates for 1.0.64 when a suitable tracking bug is generated.
Comment 5 Raphael Groner 2015-11-16 09:24:32 EST
Besides libpng, all those compat packages need to be updated, too:
 libpng10, libpng12, libpng15
Please do so ASAP.
Comment 6 Stefan Cornelius 2015-11-17 07:46:41 EST
This needs another patch:
https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324.patch

Or there will be CRC issues. I'll also add this to the list of patches in comment #0.
Comment 8 Stefan Cornelius 2015-11-17 13:47:57 EST
Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1282901]
Comment 9 Stefan Cornelius 2015-11-17 13:48:05 EST
Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1282902]
Comment 15 Fedora Update System 2015-11-21 21:22:13 EST
libpng-1.6.17-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-11-24 14:51:57 EST
libpng10-1.0.64-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-11-24 17:24:20 EST
libpng10-1.0.64-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2015-11-24 17:49:58 EST
libpng10-1.0.64-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Stefan Cornelius 2015-11-26 04:47:56 EST
Our CVSSv2 score may be different from what other sources suggest. That's because we don't think that other CVSSv2 score give an appropriate approximation of the real-life impact of this issue.

In order to be vulnerable, an application needs to calculate the exact minimum buffer space for the palette according to the image's bit depth and then has to interact with libpng in a way that would copy the palette into the buffer the application has reserved.

This is an extra-effort step most applications do not take, for simplicity reasons. Instead, for example, a lot of applications use the maximum size the palette can possibly have, regardless of the image's bit depth. In such a case, the application would not be vulnerable, even when using a vulnerable libpng version.
Comment 25 Fedora Update System 2015-11-27 13:21:41 EST
mingw-libpng-1.6.19-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2015-11-27 15:52:36 EST
mingw-libpng-1.6.19-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2015-11-28 18:17:48 EST
mingw-libpng-1.6.19-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2015-11-30 16:58:00 EST
libpng10-1.0.64-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Adam Mariš 2015-12-07 08:56:17 EST
CVE-2015-8472 was assigned after it was discovered that initial patch was incomplete. libpng and libpng12 as shipped in RHEL 6 and 7 are not affected by this CVE, since we've already applied complete patch to fix the original issue.

http://seclists.org/oss-sec/2015/q4/439
Comment 30 errata-xmlrpc 2015-12-09 08:37:06 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2594 https://rhn.redhat.com/errata/RHSA-2015-2594.html
Comment 31 errata-xmlrpc 2015-12-09 09:13:31 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2596 https://rhn.redhat.com/errata/RHSA-2015-2596.html
Comment 32 errata-xmlrpc 2015-12-09 09:14:25 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2595 https://rhn.redhat.com/errata/RHSA-2015-2595.html
Comment 33 Fedora Update System 2015-12-18 02:53:52 EST
libpng10-1.0.65-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2015-12-18 04:58:29 EST
libpng10-1.0.65-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2016-01-02 17:21:13 EST
libpng12-1.2.56-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2016-01-02 18:19:58 EST
libpng12-1.2.56-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 37 Fedora Update System 2016-01-03 15:25:41 EST
libpng10-1.0.66-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 38 Fedora Update System 2016-01-04 13:52:18 EST
libpng15-1.5.25-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 39 Fedora Update System 2016-01-04 14:57:07 EST
libpng15-1.5.25-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 40 Fedora Update System 2016-01-06 23:22:41 EST
libpng-1.6.17-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 41 Tomas Hoger 2016-01-20 09:01:28 EST
OpenJDK 8 upstream commits:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/817a472b15bd
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/23a6e0931277

Note that the first commit actually downgraded bundled libpng from 1.6.16 to 1.5.4, and only the second one upgraded it again to 1.6.20 which includes fixes for CVE-2015-8126 and CVE-2015-8472.
Comment 42 errata-xmlrpc 2016-01-21 06:23:04 EST
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0057 https://rhn.redhat.com/errata/RHSA-2016-0057.html
Comment 43 errata-xmlrpc 2016-01-21 06:39:24 EST
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0056 https://rhn.redhat.com/errata/RHSA-2016-0056.html
Comment 44 errata-xmlrpc 2016-01-21 06:40:43 EST
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0055 https://rhn.redhat.com/errata/RHSA-2016-0055.html
Comment 45 errata-xmlrpc 2016-02-02 05:05:04 EST
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html
Comment 46 errata-xmlrpc 2016-02-02 05:06:32 EST
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html
Comment 47 errata-xmlrpc 2016-02-02 08:39:24 EST
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2016:0098 https://rhn.redhat.com/errata/RHSA-2016-0098.html
Comment 48 errata-xmlrpc 2016-02-02 08:53:20 EST
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 7
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html
Comment 50 errata-xmlrpc 2016-07-18 09:55:29 EDT
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430

Note You need to log in before you can comment on or make changes to this bug.