https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Bug ID: 1291312 Summary: CVE-2015-8540 libpng: underflow read in png_check_keyword() Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mprpic@redhat.com CC: drizt@land.ru, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, ktietz@redhat.com, lfarkas@lfarkas.org, paul@city-fan.org, phracek@redhat.com, rdieter@math.unl.edu, rjones@redhat.com
An underflow read was found in png_check_keyword in pngwutil.c in libpng-1.2.54:
If the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288.
This issue impacts upstream versions 1.2.55, 1.0.65, 1.4.18, and 1.5.25 of libpng.
An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image.
CVE assignment:
http://seclists.org/oss-sec/2015/q4/469
Upstream issue:
http://sourceforge.net/p/libpng/bugs/244/
Upstream patch:
http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b...
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1291314 Depends On| |1291315 Depends On| |1291316 Depends On| |1291317 Depends On| |1291318 Depends On| |1291319 Depends On| |1291320
--- Comment #1 from Martin Prpic mprpic@redhat.com ---
Created libpng tracking bugs for this issue:
Affects: fedora-all [bug 1291314]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1291314 [Bug 1291314] CVE-2015-8540 libpng: underflow read in png_check_keyword() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1291315 [Bug 1291315] CVE-2015-8540 libpng12: libpng: underflow read in png_check_keyword() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1291316 [Bug 1291316] CVE-2015-8540 libpng15: libpng: underflow read in png_check_keyword() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1291317 [Bug 1291317] CVE-2015-8540 mingw-libpng: libpng: underflow read in png_check_keyword() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1291318 [Bug 1291318] CVE-2015-8540 libpng10: libpng: underflow read in png_check_keyword() [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1291319 [Bug 1291319] CVE-2015-8540 mingw-libpng: libpng: underflow read in png_check_keyword() [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1291320 [Bug 1291320] CVE-2015-8540 libpng10: libpng: underflow read in png_check_keyword() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #2 from Martin Prpic mprpic@redhat.com ---
Created libpng10 tracking bugs for this issue:
Affects: epel-6 [bug 1291318] Affects: fedora-all [bug 1291320]
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #3 from Martin Prpic mprpic@redhat.com ---
Created libpng12 tracking bugs for this issue:
Affects: fedora-all [bug 1291315]
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #4 from Martin Prpic mprpic@redhat.com ---
Created libpng15 tracking bugs for this issue:
Affects: fedora-all [bug 1291316]
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #5 from Martin Prpic mprpic@redhat.com ---
Created mingw-libpng tracking bugs for this issue:
Affects: fedora-all [bug 1291317] Affects: epel-7 [bug 1291319]
Is it possible to not spam the list with all the hundreds bugzilla security messages?
2015-12-14 16:44, bugzilla@redhat.com rašė:
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #5 from Martin Prpic mprpic@redhat.com ---
Created mingw-libpng tracking bugs for this issue:
Affects: fedora-all [bug 1291317] Affects: epel-7 [bug 1291319]
Is it possible to not include the list in automatically created bugs:
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL.
?
2015-12-14 16:47, Nerijus Baliūnas rašė:
Is it possible to not spam the list with all the hundreds bugzilla security messages?
2015-12-14 16:44, bugzilla@redhat.com rašė:
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #5 from Martin Prpic mprpic@redhat.com ---
Created mingw-libpng tracking bugs for this issue:
Affects: fedora-all [bug 1291317] Affects: epel-7 [bug 1291319]
mingw mailing list mingw@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/mingw@lists.fedoraproject.org
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1291322
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2015 |impact=moderate,public=2015 |1210,reported=20151210,sour |1210,reported=20151210,sour |ce=oss-security,cvss2=5.1/A |ce=oss-security,cvss2=5.1/A |V:N/AC:H/Au:N/C:P/I:P/A:P,r |V:N/AC:H/Au:N/C:P/I:P/A:P,r |hel-5/libpng=affected,rhel- |hel-5/libpng=wontfix,rhel-6 |6/libpng=affected,rhel-7/li |/libpng=wontfix,rhel-7/libp |bpng=affected,rhel-7/libpng |ng=wontfix,rhel-7/libpng12= |12=affected,fedora-all/libp |wontfix,fedora-all/libpng=a |ng=affected,fedora-all/libp |ffected,fedora-all/libpng12 |ng12=affected,fedora-all/li |=affected,fedora-all/libpng |bpng15=affected,fedora-all/ |15=affected,fedora-all/ming |mingw-libpng=affected,epel- |w-libpng=affected,epel-6/li |6/libpng10=affected,epel-7/ |bpng10=affected,epel-7/ming |mingw-libpng=affected,fedor |w-libpng=affected,fedora-al |a-all/libpng10=affected |l/libpng10=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2015-12-21 09:37:16
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2015 |impact=low,public=20151210, |1210,reported=20151210,sour |reported=20151210,source=os |ce=oss-security,cvss2=5.1/A |s-security,cvss2=5.1/AV:N/A |V:N/AC:H/Au:N/C:P/I:P/A:P,r |C:H/Au:N/C:P/I:P/A:P,rhel-5 |hel-5/libpng=wontfix,rhel-6 |/libpng=wontfix,rhel-6/libp |/libpng=wontfix,rhel-7/libp |ng=wontfix,rhel-7/libpng=wo |ng=wontfix,rhel-7/libpng12= |ntfix,rhel-7/libpng12=wontf |wontfix,fedora-all/libpng=a |ix,fedora-all/libpng=affect |ffected,fedora-all/libpng12 |ed,fedora-all/libpng12=affe |=affected,fedora-all/libpng |cted,fedora-all/libpng15=af |15=affected,fedora-all/ming |fected,fedora-all/mingw-lib |w-libpng=affected,epel-6/li |png=affected,epel-6/libpng1 |bpng10=affected,epel-7/ming |0=affected,epel-7/mingw-lib |w-libpng=affected,fedora-al |png=affected,fedora-all/lib |l/libpng10=affected |png10=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #9 from Stefan Cornelius scorneli@redhat.com --- It seems like this is only an issue when an application uses a untrusted input when *writing* a PNG file. Only reading a PNG file should not be enough to trigger this. Since this is a library, it's hard to predict the exact criticality, as it depends on the application using it. For the most common scenarios, this should not be a major problem, it'll probably not even lead to a crash.
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Severity|medium |low
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #10 from Fedora Update System updates@fedoraproject.org --- libpng10-1.0.66-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1291312 Bug 1291312 depends on bug 1291320, which changed state.
Bug 1291320 Summary: CVE-2015-8540 libpng10: libpng: underflow read in png_check_keyword() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1291320
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #11 from Fedora Update System updates@fedoraproject.org --- libpng10-1.0.66-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #12 from Fedora Update System updates@fedoraproject.org --- libpng12-1.2.56-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1291312 Bug 1291312 depends on bug 1291315, which changed state.
Bug 1291315 Summary: CVE-2015-8540 libpng12: libpng: underflow read in png_check_keyword() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1291315
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #13 from Fedora Update System updates@fedoraproject.org --- libpng12-1.2.56-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #14 from Fedora Update System updates@fedoraproject.org --- libpng10-1.0.66-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1291312 Bug 1291312 depends on bug 1291318, which changed state.
Bug 1291318 Summary: CVE-2015-8540 libpng10: libpng: underflow read in png_check_keyword() [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1291318
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jrusnack@redhat.com Whiteboard|impact=low,public=20151210, |impact=low,public=20151210, |reported=20151210,source=os |reported=20151210,source=os |s-security,cvss2=5.1/AV:N/A |s-security,cvss2=5.1/AV:N/A |C:H/Au:N/C:P/I:P/A:P,rhel-5 |C:H/Au:N/C:P/I:P/A:P,rhel-5 |/libpng=wontfix,rhel-6/libp |/libpng=wontfix,rhel-6/libp |ng=wontfix,rhel-7/libpng=wo |ng=wontfix,rhel-7/libpng=wo |ntfix,rhel-7/libpng12=wontf |ntfix,rhel-7/libpng12=wontf |ix,fedora-all/libpng=affect |ix,fedora-all/libpng=affect |ed,fedora-all/libpng12=affe |ed,fedora-all/libpng12=affe |cted,fedora-all/libpng15=af |cted,fedora-all/libpng15=af |fected,fedora-all/mingw-lib |fected,fedora-all/mingw-lib |png=affected,epel-6/libpng1 |png=affected,epel-6/libpng1 |0=affected,epel-7/mingw-lib |0=affected,epel-7/mingw-lib |png=affected,fedora-all/lib |png=affected,fedora-all/lib |png10=affected |png10=affected,cwe=CWE-125
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20151210, |impact=low,public=20151210, |reported=20151210,source=os |reported=20151210,source=os |s-security,cvss2=5.1/AV:N/A |s-security,cvss2=5.1/AV:N/A |C:H/Au:N/C:P/I:P/A:P,rhel-5 |C:H/Au:N/C:P/I:P/A:P,rhel-5 |/libpng=wontfix,rhel-6/libp |/libpng=wontfix,rhel-6/libp |ng=wontfix,rhel-7/libpng=wo |ng=wontfix,rhel-7/libpng=wo |ntfix,rhel-7/libpng12=wontf |ntfix,rhel-7/libpng12=wontf |ix,fedora-all/libpng=affect |ix,fedora-all/libpng=affect |ed,fedora-all/libpng12=affe |ed,fedora-all/libpng12=affe |cted,fedora-all/libpng15=af |cted,fedora-all/libpng15=af |fected,fedora-all/mingw-lib |fected,fedora-all/mingw-lib |png=affected,epel-6/libpng1 |png=affected,epel-6/libpng1 |0=affected,epel-7/mingw-lib |0=affected,epel-7/mingw-lib |png=affected,fedora-all/lib |png=affected,fedora-all/lib |png10=affected,cwe=CWE-125 |png10=affected,cwe=CWE-125, | |rhel-5/java-1.6.0-ibm=affec | |ted,rhel-6/java-1.6.0-ibm=a | |ffected,rhel-5/java-1.7.0-i | |bm=affected,rhel-6/java-1.7 | |.1-ibm=affected,rhel-7/java | |-1.7.1-ibm=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #15 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5
Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #16 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 5
Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html
https://bugzilla.redhat.com/show_bug.cgi?id=1291312
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 7 Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html
https://bugzilla.redhat.com/show_bug.cgi?id=1291312 Bug 1291312 depends on bug 1291319, which changed state.
Bug 1291319 Summary: CVE-2015-8540 mingw-libpng: libpng: underflow read in png_check_keyword() [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1291319
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1291312 Bug 1291312 depends on bug 1291317, which changed state.
Bug 1291317 Summary: CVE-2015-8540 mingw-libpng: libpng: underflow read in png_check_keyword() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1291317
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG