Bug 1599943 (CVE-2018-13785) - CVE-2018-13785 libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service
Summary: CVE-2018-13785 libpng: Integer overflow and resultant divide-by-zero in pngru...
Status: NEW
Alias: CVE-2018-13785
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20180405,reported=2...
Keywords: Security
Depends On: 1599948 1599949 1646175 1649856 1599944 1599945 1599946 1599947 1599950 1599951 1599952 1639731 1639732 1639733 1639734 1639736 1639737 1640178 1640179 1640180 1646173 1646174 1649854 1649855 1652120 1652121 1652122
Blocks: 1599953
TreeView+ depends on / blocked
 
Reported: 2018-07-11 01:31 UTC by Sam Fowler
Modified: 2018-12-18 15:50 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3000 None None None 2018-10-24 22:05 UTC
Red Hat Product Errata RHSA-2018:3001 None None None 2018-10-24 22:06 UTC
Red Hat Product Errata RHSA-2018:3002 None None None 2018-10-24 22:06 UTC
Red Hat Product Errata RHSA-2018:3003 None None None 2018-10-24 22:07 UTC
Red Hat Product Errata RHSA-2018:3007 None None None 2018-10-24 21:38 UTC
Red Hat Product Errata RHSA-2018:3008 None None None 2018-10-24 21:40 UTC
Red Hat Product Errata RHSA-2018:3533 None None None 2018-11-09 11:49 UTC
Red Hat Product Errata RHSA-2018:3534 None None None 2018-11-09 11:49 UTC
Red Hat Product Errata RHSA-2018:3671 None None None 2018-11-26 15:42 UTC
Red Hat Product Errata RHSA-2018:3672 None None None 2018-11-26 15:43 UTC
Red Hat Product Errata RHSA-2018:3779 None None None 2018-12-05 15:53 UTC
Red Hat Product Errata RHSA-2018:3852 None None None 2018-12-18 15:50 UTC

Description Sam Fowler 2018-07-11 01:31:49 UTC
libpng through version 1.6.34 is vulnerable to an integer overflow and resultant divide-by-zero in the pngrutil.c:png_check_chunk_length() function. An attacker could exploit this to cause a denial of service via crafted PNG file.


Upstream Bug:

https://sourceforge.net/p/libpng/bugs/278/


Upstream Patch:

https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2

Comment 1 Sam Fowler 2018-07-11 01:33:10 UTC
Created libpng tracking bugs for this issue:

Affects: fedora-all [bug 1599944]


Created libpng10 tracking bugs for this issue:

Affects: epel-6 [bug 1599950]
Affects: fedora-all [bug 1599945]


Created libpng12 tracking bugs for this issue:

Affects: fedora-all [bug 1599946]


Created libpng15 tracking bugs for this issue:

Affects: fedora-all [bug 1599947]


Created mingw-libpng tracking bugs for this issue:

Affects: epel-7 [bug 1599949]
Affects: fedora-all [bug 1599948]

Comment 2 Sam Fowler 2018-07-11 01:33:36 UTC
The affected code was moved into pngrutil.c:png_check_chunk_length() in the below commit:

https://github.com/glennrp/libpng/commit/2dca15686fadb1b8951cb29b02bad4cae73448da

Comment 6 Scott Gayou 2018-07-16 21:07:01 UTC
This does not appear to be reproducible on RHEL 7. The target calculation in png_check_chunk_length is not in the RHEL7 version.

Comment 7 errata-xmlrpc 2018-10-24 21:38:44 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3007 https://access.redhat.com/errata/RHSA-2018:3007

Comment 8 errata-xmlrpc 2018-10-24 21:40:03 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3008 https://access.redhat.com/errata/RHSA-2018:3008

Comment 9 errata-xmlrpc 2018-10-24 22:05:30 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000

Comment 10 errata-xmlrpc 2018-10-24 22:06:05 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001

Comment 11 errata-xmlrpc 2018-10-24 22:06:35 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002

Comment 12 errata-xmlrpc 2018-10-24 22:07:21 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003

Comment 13 errata-xmlrpc 2018-11-09 11:48:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533

Comment 14 errata-xmlrpc 2018-11-09 11:49:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534

Comment 16 errata-xmlrpc 2018-11-26 15:42:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671

Comment 17 errata-xmlrpc 2018-11-26 15:43:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672

Comment 18 errata-xmlrpc 2018-12-05 15:52:54 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779

Comment 19 errata-xmlrpc 2018-12-18 15:50:50 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852


Note You need to log in before you can comment on or make changes to this bug.