Bug 531264

Summary:	<media-libs/libpng-1.6.15 out of bounds memory access
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	base-system, pmcdermott98
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A3 [glsa]
Package list:		Runtime testing required:	---

Description Hanno Böck gentoo-dev

2014-11-30 20:14:37 UTC

libpng 1.6.15 is already in the tree. Upstream considers this a security release, it fixes a possible out of bounds memory access when an app is executed with a different libpng version than it was compiled against. (I was somewhat indirectly involved in the discovery of this issue while fuzzing graphicsmagick.)

It is likely a minor issue and I'm not sure it would get a CVE, however I still think this deserves fast-track stabilization just to be sure. Probably not worth a GLSA though.

From upstream homepage:
Virtually all libpng versions through 1.6.14, 1.5.19, 1.4.13, 1.2.51, and 1.0.61, respectively, have an out-of-bounds memory access in png_user_version_check(). It is unclear whether this could lead to an actual exploit. The bug is fixed in versions 1.6.15, 1.5.20, etc., released on 20 November 2014.

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-12-09 17:35:06 UTC

@maintainers: Is this package ready for stabilization?

Comment 2 Tim Harder gentoo-dev

2014-12-09 23:00:10 UTC

(In reply to Kristian Fiskerstrand from comment #1)
> @maintainers: Is this package ready for stabilization?

Go for it.

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-12-10 18:55:21 UTC

Arches please stabilize:

=media-libs/libpng-1.2.52
Stable targets: amd64 x86

=media-libs/libpng-1.5.20
Stable targets: amd64 x86

=media-libs/libpng-1.6.15
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 4 Agostino Sarubbo gentoo-dev

2014-12-10 19:25:32 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-12-10 19:25:49 UTC

x86 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2014-12-11 09:16:41 UTC

Stable for HPPA.

Comment 7 Agostino Sarubbo gentoo-dev

2014-12-12 09:39:30 UTC

ia64 stable

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2014-12-15 13:15:09 UTC

*** Bug 532630 has been marked as a duplicate of this bug. ***

Comment 9 Markus Meier gentoo-dev

2014-12-16 20:46:07 UTC

arm stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-12-23 09:31:05 UTC

alpha stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-12-24 14:37:42 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2014-12-24 14:47:48 UTC

ppc64 stable

Comment 13 Agostino Sarubbo gentoo-dev

2014-12-26 09:19:21 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2015-02-15 14:49:32 UTC

This issue was resolved and addressed in
 GLSA 201502-10 at http://security.gentoo.org/glsa/glsa-201502-10.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).

Comment 15 Jeroen Roovers (RETIRED) gentoo-dev

2015-02-16 09:00:47 UTC

*** Bug 532630 has been marked as a duplicate of this bug. ***

Comment 16 Jeroen Roovers (RETIRED) gentoo-dev

2015-02-16 09:01:46 UTC

=media-libs/libpng-1.2.51 is still in the tree, so cleanup wasn't done properly.

Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-16 09:03:44 UTC

(In reply to Jeroen Roovers from comment #16)
> =media-libs/libpng-1.2.51 is still in the tree, so cleanup wasn't done
> properly.

Thanks. Setting cleanup state again

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2016-06-11 10:54:46 UTC

Cleanup was completed.