An underflow read was found in png_check_keyword in pngwutil.c in libpng-1.2.54: If the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288. This issue impacts upstream versions 1.2.55, 1.0.65, 1.4.18, and 1.5.25 of libpng. An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image. CVE assignment: http://seclists.org/oss-sec/2015/q4/469 Upstream issue: http://sourceforge.net/p/libpng/bugs/244/ Upstream patch: http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/
Created libpng tracking bugs for this issue: Affects: fedora-all [bug 1291314]
Created libpng10 tracking bugs for this issue: Affects: epel-6 [bug 1291318] Affects: fedora-all [bug 1291320]
Created libpng12 tracking bugs for this issue: Affects: fedora-all [bug 1291315]
Created libpng15 tracking bugs for this issue: Affects: fedora-all [bug 1291316]
Created mingw-libpng tracking bugs for this issue: Affects: fedora-all [bug 1291317] Affects: epel-7 [bug 1291319]
It seems like this is only an issue when an application uses a untrusted input when *writing* a PNG file. Only reading a PNG file should not be enough to trigger this. Since this is a library, it's hard to predict the exact criticality, as it depends on the application using it. For the most common scenarios, this should not be a major problem, it'll probably not even lead to a crash.
libpng10-1.0.66-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.66-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libpng12-1.2.56-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpng12-1.2.56-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libpng10-1.0.66-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430