Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683366 (CVE-2018-14048, CVE-2018-14550, CVE-2019-7317) - <media-libs/libpng-1.6.37: use-after-free vulnerability in png_image_free (CVE-2019-7317)
Summary: <media-libs/libpng-1.6.37: use-after-free vulnerability in png_image_free (CV...
Status: RESOLVED FIXED
Alias: CVE-2018-14048, CVE-2018-14550, CVE-2019-7317
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-15 07:51 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2019-08-03 11:27 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/libpng-1.6.37
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-04-15 07:51:30 UTC 
From the CHANGES file:

Version 1.6.37 [April 14, 2019]
  Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
  Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
  Fixed a memory leak in pngtest.c.
  Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in
    contrib/pngminus; refactor.
  Changed the license of contrib/pngminus to MIT; refresh makefile and docs.
    (Contributed by Willem van Schaik)
  Fixed a typo in the libpng license v2.
    (Contributed by Miguel Ojeda)
  Added makefiles for AddressSanitizer-enabled builds.
  Cleaned up various makefiles.


We do not install pngminus so the two other CVEs are not relevant to us.

We're waiting for a new apng patchset to be released before we can do the version bump.
Comment 1 Larry the Git Cow gentoo-dev 2019-04-15 11:46:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=426f4ca3682918ea499ab99b48f9106f71164f1f

commit 426f4ca3682918ea499ab99b48f9106f71164f1f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-15 11:45:05 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-15 11:45:54 +0000

    media-libs/libpng: Security bump to version 1.6.37
    
    Bug: https://bugs.gentoo.org/683366
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-libs/libpng/Manifest             |  2 ++
 media-libs/libpng/libpng-1.6.37.ebuild | 45 ++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-15 15:00:03 UTC 
amd64 stable
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-16 02:13:29 UTC 
arm64 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 11:43:12 UTC 
arm stable
Comment 5 Rolf Eike Beer archtester 2019-04-17 20:42:59 UTC 
hppa/sparc stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-18 20:34:39 UTC 
x86 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 17:51:36 UTC 
alpha stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-26 20:50:24 UTC 
s390 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 06:32:59 UTC 
New GLSA Request filed.

Please continue with the stabilization
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-27 16:33:33 UTC 
ia64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 07:46:14 UTC 
ppc stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 13:11:12 UTC 
ppc64 stable
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2019-04-30 00:11:09 UTC 
@base-system, please drop vulnerable.
Comment 14 Larry the Git Cow gentoo-dev 2019-04-30 07:44:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b31a7ecfeac4e19df2d77cd1b469c1b6bc77938

commit 5b31a7ecfeac4e19df2d77cd1b469c1b6bc77938
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-30 07:44:06 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-30 07:44:06 +0000

    media-libs/libpng: Security cleanup.
    
    Bug: https://bugs.gentoo.org/683366
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-libs/libpng/Manifest                |  4 ---
 media-libs/libpng/libpng-1.6.35-r1.ebuild | 45 -------------------------------
 media-libs/libpng/libpng-1.6.36.ebuild    | 45 -------------------------------
 3 files changed, 94 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-08-03 11:27:25 UTC 
This issue was resolved and addressed in
 GLSA 201908-02 at https://security.gentoo.org/glsa/201908-02
by GLSA coordinator Aaron Bauman (b-man).