Bug 1281756 (CVE-2015-8126, CVE-2015-8472) - CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions
Summary: CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_ge...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8126, CVE-2015-8472
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1281757 1281758 1281759 1281760 1282039 1282901 1282902 1283572 1283573 1283574 1283575 1283576 1283577
Blocks: 1281763 1295699
TreeView+ depends on / blocked
 
Reported: 2015-11-13 11:54 UTC by Adam Mariš
Modified: 2019-09-29 13:39 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:45:12 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2594 0 normal SHIPPED_LIVE Moderate: libpng security update 2015-12-09 18:35:49 UTC
Red Hat Product Errata RHSA-2015:2595 0 normal SHIPPED_LIVE Moderate: libpng12 security update 2015-12-09 19:12:41 UTC
Red Hat Product Errata RHSA-2015:2596 0 normal SHIPPED_LIVE Moderate: libpng security update 2015-12-09 19:12:31 UTC
Red Hat Product Errata RHSA-2016:0055 0 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-15 03:12:59 UTC
Red Hat Product Errata RHSA-2016:0056 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-15 15:31:39 UTC
Red Hat Product Errata RHSA-2016:0057 0 normal SHIPPED_LIVE Important: java-1.6.0-sun security update 2017-12-15 03:12:03 UTC
Red Hat Product Errata RHSA-2016:0098 0 normal SHIPPED_LIVE Critical: java-1.8.0-ibm security update 2016-02-02 18:39:03 UTC
Red Hat Product Errata RHSA-2016:0099 0 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2016-02-02 18:52:52 UTC
Red Hat Product Errata RHSA-2016:0100 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2016-02-02 15:04:39 UTC
Red Hat Product Errata RHSA-2016:0101 0 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2016-02-02 15:00:49 UTC
Red Hat Product Errata RHSA-2016:1430 0 normal SHIPPED_LIVE Moderate: java-1.7.0-ibm and java-1.7.1-ibm security update 2016-07-18 17:51:35 UTC

Description Adam Mariš 2015-11-13 11:54:40 UTC
Buffer overflow vulnerabilities in functions png_get_PLTE/png_set_PLTE, allowing remote attackers to cause DoS to application or have unspecified other impact. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8.

Affected versions of libpng are before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19.

Upstream patches:

https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324

CVE assignment:

http://seclists.org/oss-sec/2015/q4/264

Comment 1 Adam Mariš 2015-11-13 11:55:48 UTC
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1281757]

Comment 2 Adam Mariš 2015-11-13 11:55:56 UTC
Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1281759]

Comment 3 Adam Mariš 2015-11-13 11:56:03 UTC
Created mingw-libpng tracking bugs for this issue:

Affects: fedora-all [bug 1281758]
Affects: epel-7 [bug 1281760]

Comment 4 Paul Howarth 2015-11-13 12:11:48 UTC
(In reply to Adam Mariš from comment #2)
> Created libpng10 tracking bugs for this issue:
> 
> Affects: epel-6 [bug 1281759]

It affects fedora-all too. I'll edit the existing updates for 1.0.64 when a suitable tracking bug is generated.

Comment 5 Raphael Groner 2015-11-16 14:24:32 UTC
Besides libpng, all those compat packages need to be updated, too:
 libpng10, libpng12, libpng15
Please do so ASAP.

Comment 6 Stefan Cornelius 2015-11-17 12:46:41 UTC
This needs another patch:
https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324.patch

Or there will be CRC issues. I'll also add this to the list of patches in comment #0.

Comment 8 Stefan Cornelius 2015-11-17 18:47:57 UTC
Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1282901]

Comment 9 Stefan Cornelius 2015-11-17 18:48:05 UTC
Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1282902]

Comment 15 Fedora Update System 2015-11-22 02:22:13 UTC
libpng-1.6.17-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-11-24 19:51:57 UTC
libpng10-1.0.64-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-11-24 22:24:20 UTC
libpng10-1.0.64-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2015-11-24 22:49:58 UTC
libpng10-1.0.64-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Stefan Cornelius 2015-11-26 09:47:56 UTC
Our CVSSv2 score may be different from what other sources suggest. That's because we don't think that other CVSSv2 score give an appropriate approximation of the real-life impact of this issue.

In order to be vulnerable, an application needs to calculate the exact minimum buffer space for the palette according to the image's bit depth and then has to interact with libpng in a way that would copy the palette into the buffer the application has reserved.

This is an extra-effort step most applications do not take, for simplicity reasons. Instead, for example, a lot of applications use the maximum size the palette can possibly have, regardless of the image's bit depth. In such a case, the application would not be vulnerable, even when using a vulnerable libpng version.

Comment 25 Fedora Update System 2015-11-27 18:21:41 UTC
mingw-libpng-1.6.19-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2015-11-27 20:52:36 UTC
mingw-libpng-1.6.19-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2015-11-28 23:17:48 UTC
mingw-libpng-1.6.19-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2015-11-30 21:58:00 UTC
libpng10-1.0.64-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 29 Adam Mariš 2015-12-07 13:56:17 UTC
CVE-2015-8472 was assigned after it was discovered that initial patch was incomplete. libpng and libpng12 as shipped in RHEL 6 and 7 are not affected by this CVE, since we've already applied complete patch to fix the original issue.

http://seclists.org/oss-sec/2015/q4/439

Comment 30 errata-xmlrpc 2015-12-09 13:37:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2594 https://rhn.redhat.com/errata/RHSA-2015-2594.html

Comment 31 errata-xmlrpc 2015-12-09 14:13:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2596 https://rhn.redhat.com/errata/RHSA-2015-2596.html

Comment 32 errata-xmlrpc 2015-12-09 14:14:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2595 https://rhn.redhat.com/errata/RHSA-2015-2595.html

Comment 33 Fedora Update System 2015-12-18 07:53:52 UTC
libpng10-1.0.65-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2015-12-18 09:58:29 UTC
libpng10-1.0.65-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 35 Fedora Update System 2016-01-02 22:21:13 UTC
libpng12-1.2.56-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 36 Fedora Update System 2016-01-02 23:19:58 UTC
libpng12-1.2.56-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 37 Fedora Update System 2016-01-03 20:25:41 UTC
libpng10-1.0.66-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 38 Fedora Update System 2016-01-04 18:52:18 UTC
libpng15-1.5.25-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 39 Fedora Update System 2016-01-04 19:57:07 UTC
libpng15-1.5.25-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 40 Fedora Update System 2016-01-07 04:22:41 UTC
libpng-1.6.17-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 41 Tomas Hoger 2016-01-20 14:01:28 UTC
OpenJDK 8 upstream commits:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/817a472b15bd
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/23a6e0931277

Note that the first commit actually downgraded bundled libpng from 1.6.16 to 1.5.4, and only the second one upgraded it again to 1.6.20 which includes fixes for CVE-2015-8126 and CVE-2015-8472.

Comment 42 errata-xmlrpc 2016-01-21 11:23:04 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0057 https://rhn.redhat.com/errata/RHSA-2016-0057.html

Comment 43 errata-xmlrpc 2016-01-21 11:39:24 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0056 https://rhn.redhat.com/errata/RHSA-2016-0056.html

Comment 44 errata-xmlrpc 2016-01-21 11:40:43 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0055 https://rhn.redhat.com/errata/RHSA-2016-0055.html

Comment 45 errata-xmlrpc 2016-02-02 10:05:04 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html

Comment 46 errata-xmlrpc 2016-02-02 10:06:32 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html

Comment 47 errata-xmlrpc 2016-02-02 13:39:24 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2016:0098 https://rhn.redhat.com/errata/RHSA-2016-0098.html

Comment 48 errata-xmlrpc 2016-02-02 13:53:20 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 7
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html

Comment 50 errata-xmlrpc 2016-07-18 13:55:29 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430


Note You need to log in before you can comment on or make changes to this bug.