Hide Forgot
Buffer overflow vulnerabilities in functions png_get_PLTE/png_set_PLTE, allowing remote attackers to cause DoS to application or have unspecified other impact. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8. Affected versions of libpng are before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19. Upstream patches: https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324 CVE assignment: http://seclists.org/oss-sec/2015/q4/264
Created libpng tracking bugs for this issue: Affects: fedora-all [bug 1281757]
Created libpng10 tracking bugs for this issue: Affects: epel-6 [bug 1281759]
Created mingw-libpng tracking bugs for this issue: Affects: fedora-all [bug 1281758] Affects: epel-7 [bug 1281760]
(In reply to Adam Mariš from comment #2) > Created libpng10 tracking bugs for this issue: > > Affects: epel-6 [bug 1281759] It affects fedora-all too. I'll edit the existing updates for 1.0.64 when a suitable tracking bug is generated.
Besides libpng, all those compat packages need to be updated, too: libpng10, libpng12, libpng15 Please do so ASAP.
This needs another patch: https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324.patch Or there will be CRC issues. I'll also add this to the list of patches in comment #0.
Created libpng12 tracking bugs for this issue: Affects: fedora-all [bug 1282901]
Created libpng15 tracking bugs for this issue: Affects: fedora-all [bug 1282902]
libpng-1.6.17-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.64-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.64-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.64-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Our CVSSv2 score may be different from what other sources suggest. That's because we don't think that other CVSSv2 score give an appropriate approximation of the real-life impact of this issue. In order to be vulnerable, an application needs to calculate the exact minimum buffer space for the palette according to the image's bit depth and then has to interact with libpng in a way that would copy the palette into the buffer the application has reserved. This is an extra-effort step most applications do not take, for simplicity reasons. Instead, for example, a lot of applications use the maximum size the palette can possibly have, regardless of the image's bit depth. In such a case, the application would not be vulnerable, even when using a vulnerable libpng version.
mingw-libpng-1.6.19-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
mingw-libpng-1.6.19-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
mingw-libpng-1.6.19-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.64-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2015-8472 was assigned after it was discovered that initial patch was incomplete. libpng and libpng12 as shipped in RHEL 6 and 7 are not affected by this CVE, since we've already applied complete patch to fix the original issue. http://seclists.org/oss-sec/2015/q4/439
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:2594 https://rhn.redhat.com/errata/RHSA-2015-2594.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2596 https://rhn.redhat.com/errata/RHSA-2015-2596.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2595 https://rhn.redhat.com/errata/RHSA-2015-2595.html
libpng10-1.0.65-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.65-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libpng12-1.2.56-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpng12-1.2.56-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.66-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
libpng15-1.5.25-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpng15-1.5.25-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libpng-1.6.17-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
OpenJDK 8 upstream commits: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/817a472b15bd http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/23a6e0931277 Note that the first commit actually downgraded bundled libpng from 1.6.16 to 1.5.4, and only the second one upgraded it again to 1.6.20 which includes fixes for CVE-2015-8126 and CVE-2015-8472.
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0057 https://rhn.redhat.com/errata/RHSA-2016-0057.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0056 https://rhn.redhat.com/errata/RHSA-2016-0056.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0055 https://rhn.redhat.com/errata/RHSA-2016-0055.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2016:0098 https://rhn.redhat.com/errata/RHSA-2016-0098.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430