Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531264 - <media-libs/libpng-1.6.15 out of bounds memory access
Summary: <media-libs/libpng-1.6.15 out of bounds memory access
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
: 532630 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-11-30 20:14 UTC by Hanno Böck
Modified: 2016-06-11 10:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-11-30 20:14:37 UTC 
libpng 1.6.15 is already in the tree. Upstream considers this a security release, it fixes a possible out of bounds memory access when an app is executed with a different libpng version than it was compiled against. (I was somewhat indirectly involved in the discovery of this issue while fuzzing graphicsmagick.)

It is likely a minor issue and I'm not sure it would get a CVE, however I still think this deserves fast-track stabilization just to be sure. Probably not worth a GLSA though.

From upstream homepage:
Virtually all libpng versions through 1.6.14, 1.5.19, 1.4.13, 1.2.51, and 1.0.61, respectively, have an out-of-bounds memory access in png_user_version_check(). It is unclear whether this could lead to an actual exploit. The bug is fixed in versions 1.6.15, 1.5.20, etc., released on 20 November 2014.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-09 17:35:06 UTC 
@maintainers: Is this package ready for stabilization?
Comment 2 Tim Harder gentoo-dev 2014-12-09 23:00:10 UTC 
(In reply to Kristian Fiskerstrand from comment #1)
> @maintainers: Is this package ready for stabilization?

Go for it.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-10 18:55:21 UTC 
Arches please stabilize:

=media-libs/libpng-1.2.52
Stable targets: amd64 x86

=media-libs/libpng-1.5.20
Stable targets: amd64 x86

=media-libs/libpng-1.6.15
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2014-12-10 19:25:32 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-12-10 19:25:49 UTC 
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-11 09:16:41 UTC 
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-12 09:39:30 UTC 
ia64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-15 13:15:09 UTC 
*** Bug 532630 has been marked as a duplicate of this bug. ***
Comment 9 Markus Meier gentoo-dev 2014-12-16 20:46:07 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-23 09:31:05 UTC 
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-24 14:37:42 UTC 
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-24 14:47:48 UTC 
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-26 09:19:21 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-02-15 14:49:32 UTC 
This issue was resolved and addressed in
 GLSA 201502-10 at http://security.gentoo.org/glsa/glsa-201502-10.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-16 09:00:47 UTC 
*** Bug 532630 has been marked as a duplicate of this bug. ***
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-16 09:01:46 UTC 
=media-libs/libpng-1.2.51 is still in the tree, so cleanup wasn't done properly.
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-16 09:03:44 UTC 
(In reply to Jeroen Roovers from comment #16)
> =media-libs/libpng-1.2.51 is still in the tree, so cleanup wasn't done
> properly.

Thanks. Setting cleanup state again
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2016-06-11 10:54:46 UTC 
Cleanup was completed.