Stack-based buffer overflow in contrib/pngminus/pnm2png.c:get_token() function in libpng was found, possibly leading to arbitrary code execution when processing untrusted input.
Created libpng tracking bugs for this issue:
Affects: fedora-all [bug 1608803]
Created libpng10 tracking bugs for this issue:
Affects: epel-6 [bug 1608810]
Affects: fedora-all [bug 1608804]
Created libpng12 tracking bugs for this issue:
Affects: fedora-all [bug 1608805]
Created libpng15 tracking bugs for this issue:
Affects: fedora-all [bug 1608806]
Created mingw-libpng tracking bugs for this issue:
Affects: epel-7 [bug 1608809]
Affects: fedora-all [bug 1608807]
This issue did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include the vulnerable code.
get_token() function parses provided pnm file and stores data into char array provided as argument. These arrays are allocated on stack with fixed size of 16 in pnm2png() function from where the get_token() function is called. There is no size check due to which the buffer overflow is possible. This vulnerability lies in third-party utility pnm2png which is not distributed with libpng and libpng12 packages in RHEL 5, 6 and 7.