Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 533358

Summary: <media-libs/libpng-{1.5.21,1.6.16}: heap overflow (CVE-2014-9495,CVE-2015-0973)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2014-12-23 02:16:11 UTC
libpng 1.6.16 fixes a buffer overflow which may allow an attacker to gain write access to memory. CVE has been requested on oss-security. Please bump.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-12-23 06:18:02 UTC
+*libpng-1.6.16 (23 Dec 2014)
+*libpng-1.5.21 (23 Dec 2014)
+  23 Dec 2014; Lars Wendler <> -libpng-1.5.18-r1.ebuild,
+  -libpng-1.5.19.ebuild, +libpng-1.5.21.ebuild, -libpng-1.6.13.ebuild,
+  +libpng-1.6.16.ebuild:
+  Security bump (bug #533358). Removed old.

Arches please test and mark stable the following packages:

Stable targets: amd64 x86

Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-23 09:02:47 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-23 09:04:01 UTC
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-23 14:07:02 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-12-24 14:36:57 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-12-24 14:47:03 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-26 09:29:23 UTC
sparc stable
Comment 8 Markus Meier gentoo-dev 2014-12-30 17:46:57 UTC
arm stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-09 10:24:26 UTC
Stable on alpha.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 00:51:40 UTC
CVE-2014-9495 (
  Heap-based buffer overflow in the png_combine_row function in libpng before
  1.5.21 and 1.6.x before 1.6.16 might allow context-dependent attackers to
  execute arbitrary code via a "very wide interlaced" PNG image.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-01-15 22:55:05 UTC
With only one build remaining, filing GLSA. 

New GLSA Filed.
Comment 12 Agostino Sarubbo gentoo-dev 2015-01-16 08:10:17 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-21 00:07:57 UTC
+  21 Jan 2015; Lars Wendler <> -libpng-1.5.20.ebuild,
+  -libpng-1.6.10.ebuild, -libpng-1.6.12.ebuild, -libpng-1.6.15.ebuild:
+  Removed vulnerable versions.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-02-01 02:34:23 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:17:58 UTC
CVE-2015-0973 (
  Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng
  before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to
  execute arbitrary code via IDAT data with a large width, a different
  vulnerability than CVE-2014-9495.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-02-15 14:49:39 UTC
This issue was resolved and addressed in
 GLSA 201502-10 at
by GLSA coordinator Kristian Fiskerstrand (K_F).