Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533358 - <media-libs/libpng-{1.5.21,1.6.16}: heap overflow (CVE-2014-9495,CVE-2015-0973)
Summary: <media-libs/libpng-{1.5.21,1.6.16}: heap overflow (CVE-2014-9495,CVE-2015-0973)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://tfpwn.com/files/libpng_heap_ov...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-23 02:16 UTC by Hanno Böck
Modified: 2015-02-15 14:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-12-23 02:16:11 UTC 
libpng 1.6.16 fixes a buffer overflow which may allow an attacker to gain write access to memory. CVE has been requested on oss-security. Please bump.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-12-23 06:18:02 UTC 
+*libpng-1.6.16 (23 Dec 2014)
+*libpng-1.5.21 (23 Dec 2014)
+
+  23 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -libpng-1.5.18-r1.ebuild,
+  -libpng-1.5.19.ebuild, +libpng-1.5.21.ebuild, -libpng-1.6.13.ebuild,
+  +libpng-1.6.16.ebuild:
+  Security bump (bug #533358). Removed old.
+

Arches please test and mark stable the following packages:

=media-libs/libpng-1.5.21
Stable targets: amd64 x86

=media-libs/libpng-1.6.16
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-23 09:02:47 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-23 09:04:01 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-23 14:07:02 UTC 
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-12-24 14:36:57 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-12-24 14:47:03 UTC 
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-26 09:29:23 UTC 
sparc stable
Comment 8 Markus Meier gentoo-dev 2014-12-30 17:46:57 UTC 
arm stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-09 10:24:26 UTC 
Stable on alpha.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 00:51:40 UTC 
CVE-2014-9495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9495):
  Heap-based buffer overflow in the png_combine_row function in libpng before
  1.5.21 and 1.6.x before 1.6.16 might allow context-dependent attackers to
  execute arbitrary code via a "very wide interlaced" PNG image.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-01-15 22:55:05 UTC 
With only one build remaining, filing GLSA. 

New GLSA Filed.
Comment 12 Agostino Sarubbo gentoo-dev 2015-01-16 08:10:17 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-21 00:07:57 UTC 
+  21 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -libpng-1.5.20.ebuild,
+  -libpng-1.6.10.ebuild, -libpng-1.6.12.ebuild, -libpng-1.6.15.ebuild:
+  Removed vulnerable versions.
+
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-02-01 02:34:23 UTC 
Arches and Maintainer(s), Thank you for your work.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:17:58 UTC 
CVE-2015-0973 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0973):
  Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng
  before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to
  execute arbitrary code via IDAT data with a large width, a different
  vulnerability than CVE-2014-9495.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-02-15 14:49:39 UTC 
This issue was resolved and addressed in
 GLSA 201502-10 at http://security.gentoo.org/glsa/glsa-201502-10.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).